A critical vulnerability in Next.js (CVE-2025-29927) allows attackers to bypass middleware-based authentication and authorization by exploiting the x-middleware-subrequest header. Affected versions misinterpret this header, letting unauthorized requests skip middleware protections.
The issue impacts all Next.js versions from 11.1.4 onward. Fixes are available in versions 15.2.3, 14.2.25, 13.5.9, and 12.3.5. If upgrading isn’t possible, developers should block or remove the x-middleware-subrequest header at the server level using NGINX or Apache configurations.
Prompt action is recommended to avoid potential exploitation, and all self-hosted Next.js deployments using next start and output: standalone should update as soon as possible.
Read this post on Vercel’s official blog to learn more.
Here is the full research that helped discover this vulnerability.
Stay ahead of tech trends and subscribe to Frictionless, the newsletter by our CEO, Chris Lojniewski.
