Next.js Middleware Vulnerability (CVE-2025-29927)
Adan Cuevas 03/24/2025 Cybersecurity, cyberattack
2 Minutos

A serious vulnerability was recently discovered that is causing a stir in the Next.js community. It is CVE-2025-29927, a flaw that affects the framework's middleware and could put millions of applications that use it at risk.

 

What is the CVE-2025-29927 vulnerability?

 

CVE-2025-29927 (with a critical score of CVSS 9.1) is a flaw that allows attackers to bypass middleware security checks. The middleware in Next.js is responsible for intercepting incoming HTTP requests and is typically used for important things like:

 

  1. Access control

  2. Session validation

  3. Redirecting

  4. Adding security headers

 

The problem is that this vulnerability allows an attacker to manipulate an HTTP request using the x-middleware-subrequest header. With certain specific values, this header can trick middleware into bypassing those security checks that many developers take for granted. In other words, if your app relies on middleware to protect sensitive areas, this vulnerability could leave those sections exposed. 

 

CVE-2025-29927

 

Which versions are at risk?

 

The vulnerability affects:

 

  1. Next.js 11.1.4 through 13.5.6.

  2. Unpatched versions of Next.js 14.x and 15.x

 

If your application uses middleware to handle authentication, permissions or other security measures, you are most likely at risk.

 

How is this vulnerability exploited?

 

The way attackers exploit this flaw varies by version:

 

  1. Older versions (prior to 12.2): The exploit is triggered when the HTTP header includes this line: x-middleware-subrequest: pages/_middleware.

  2. Newer versions: Attackers use a repeating pattern in the header to fool the middleware: x-middleware-subrequest: middleware:middleware:middleware.

  3. If your project uses a src/-based directory structure, they could also employ this format: x-middleware-subrequest: src/middleware:....

 

This technique allows attackers to bypass middleware security checks and access protected paths or perform unauthorized actions.

 

Read more:  What is a Cyberattack?

 

Why is this vulnerability so dangerous?

 

The risk of CVE-2025-29927 is due to three key factors:

 

  1. No authentication is required for the exploit to work.

  2. It silently bypasses the security checks that developers rely on to control access.

  3. Its consequences can be severe, including the theft of sensitive data or service disruption.

 

An analysis by Shodan revealed that there are more than 330,000 instances of Next.js potentially exposed on the Internet, with the United States having the highest number of cases.

 

shodan

 

How to mitigate the threat?

 

If you use Next.js, it is important that you take action as soon as possible to protect your application. The Next.js team has already released patches to fix this vulnerability, so the best thing you can do is update to the latest version available.

 

Which version do you need to install?

 

  1. If you are using version 15.x, upgrade to 15.2.3 or higher.

  2. If you are using version 14.x, upgrade to 14.2.25 or higher.

  3. If you are on a version between 11.1.4 and 13.5.6, unfortunately there is no patch available, so it is in your best interest to plan a migration as soon as possible.

 

Can't upgrade right away?

 

If for some reason you can't upgrade your Next.js right now, there is a workaround: Block external requests that include the x-middleware-subrequest header.

Of course, this blocking must be done at your proxy or network layer (e.g., your CDN or firewall) and not inside your application's middleware, since doing it inside Next.js itself would not solve the problem completely.

This measure helps to reduce the risk, but keep in mind that it could affect some legitimate internal functions of your app, so proceed with caution.

 

Recommended steps to protect your application

 

  1. Check which version of Next.js you are using and update it if necessary.

  2. Analyze your middleware, especially the parts that control access and permissions.

  3. Monitor your logs for suspicious requests containing the x-middleware-subrequest header.

  4. Update your security models, considering that middleware alone is not enough to protect your application.

Taking these steps will help you keep your application secure and minimize the risk of this vulnerability.

Tag:

Cybersecurity cyberattack

How to protect your company with the shared responsibility model?

Artículo Anterior

    Categories

    Most read articles

    Jonathan Montoya 03/11/2025 Cybersecurity
    March 2025 Patch Tuesday Microsoft Security Updates
    Alexander Chapellin 02/18/2025 Cybersecurity, cyberattack
    Data Breach at Thermomix Exposes User Information
    Alexander Chapellin 03/14/2025 Cybersecurity, cyberattack, XDR, SOC, EDR
    What is a Cyberattack?
    Zoilijee Quero 03/07/2025 Cybersecurity, cyberattack, Zero Trust
    What is Zero Trust?

    Artículos Relacionados

    Cybersecurity, cyberattack, malware, TecnetProtect
    Adan Cuevas 03/20/2025

    How to protect your company with the shared responsibility model?

    Cybersecurity is no longer just a priority on your company's agenda; it has become a fundamental

    Leer más
    Cybersecurity, cyberattack, malware
    Adriana Aguilar 03/19/2025

    New RAT Malware Used for Cryptocurrency Theft

    Cybercriminals are constantly finding new ways to launch attacks, and this time they're going after

    Leer más
    Cybersecurity, cyberattack, TecnetProtect
    Scarlet Mendoza 03/14/2025

    What Is Ransomware? How to Prevent

    Ransomware isn’t just another tech buzzword — it’s a real threat that can cripple businesses and

    Leer más
    Bottom Banner

    Reduce los costos de TI y eleva la productividad de tu empresa con TecnetOne

    Si te interesa implementar soluciones en la nube en tu empresa, te invitamos a que nos contactes.

    Quiero saber más