Location>code7788 >text

NextJS CVE-2025-29927 Security Vulnerability

Popularity:942 ℃/2025-03-25 09:09:02

NextJS CVE-2025-29927 Security Vulnerability

CVE-2025-29927It is an existence inCritical security vulnerabilities in the framework. This vulnerability allows an attacker to bypass the security check of the middleware by forging or tampering with the x-middleware-subrequest request header, thereby accessing the originally protected route or API, resulting in authorization bypass and potential deeper security risks. This article will provide detailed explanations on the causes of vulnerabilities, scope of impact, fix versions and temporary mitigation plans.

1. Overview of vulnerabilities

1. The principle of vulnerability

Internal passes a request header called x-middleware-subrequest to prevent recursive calls or infinite loops of its own middleware. But researchers found thatAttackers can artificially add to external requestsThis request header, and uses a specific format,Middleware thinksThis is a "sub-request", thusjump overAuthentication or security checks that should have been performed.

2. Vulnerability impact

2.1. Authorization Bypass:

Login state or permission verification performed by the application relying on middleware will be ignored, and an attacker may access API/pages that require administrator or advanced permissions without logging in.

2.2. Potential security header bypass:

If the application injects security headers (CSP, HSTS, etc.) through Middleware, it may also be bypassed, causing the browser protection to fail.

2.3. Rewrite path (Rewrite) invalid:

In some scenarios, middleware will be rewritten or redirected according to the path. Attackers can exploit vulnerabilities to skip rewrites and access internal routes or private interfaces.

2. Affected Scope

1. Affect version

According to official and community disclosures, the affected version range and corresponding repair version are as follows:

  • 11.1.4 ~ 13.5.6: Unpatched version
  • :Affected before 14.2.25
  • :Affected before 15.2.3

2. Repair version

Latest fix:

  • 15.2.3 (for )
  • 14.2.25 (for )
  • 13.5.9 (for )
  • 12.3.5 (for )

Among them, the corresponding patched versions of 13 and 12 have also been released: 13.5.9, 12.3.5. Please confirm your project version and update to the secure version or later version in time.

3. Affected deployment methods

  • Self-hosted: Applications running with next start with Middleware enabled will rely on the middleware for authentication/security checks when requesting entry, so they are easily affected.
  • Standalone output: Also affected.

4. Unaffected scenarios

  • Hosted in Vercel: The official hosting environment will have additional processing for x-middleware-subrequest by default and is usually not affected by this vulnerability.
  • NetlifyOr pure static deployment (next export): Because Middleware will not be executed or disabled unconditionally, it is not affected by this vulnerability.
  • Cloudflare Managed WAF: If the relevant rules are opened, it can block suspicious request headers and may also mitigate the risk.
  • Application deployed as static export (middleware not executed)

3. Causes of loopholes

When processing user requests, x-middleware-subrequest is checked to identify internal subrequests and prevent middleware from being called recursively. However, in the affected version, the source and splicing method of the headLack of strict verification,lead toMalicious external requestThis can also be brought with you, thus deceiving the judgment logic and completely bypassing the middleware security mechanism.

In older versions (such as 12.2 below), attackers can use:

x-middleware-subrequest: pages/_middleware

In newer versions (such as , ,), more complex strings are required, such as:

x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware

or

x-middleware-subrequest: src/middleware:middleware:middleware

to trigger bypass behavior.

IV. Vulnerability exploitation examples

Assume that the application implements the following logic in / to verify that the user is logged in, and if it is not logged in, it blocks access to /admin routes:

export function middleware(req: NextRequest) {
  const token = ('session');
  if (!token && ('/admin')) {
    return ('/login');
  }
  return ();
}

If an attacker attaches a forged one to the request header:

GET /admin/dashboard HTTP/1.1
Host: 
x-middleware-subrequest: middleware:middleware:middleware

It may make it possible to determine that the request is an internal middleware call, thus skipping this verification directly and accessing /admin/dashboard successfully.

5. Repair and relief

1. Upgrade to the secure version

The most direct and safeThe plan is to upgrade to the official releaseWith security patchVersion:

  • : Upgrade to >= 15.2.3
  • : Upgrade to >= 14.2.25
  • : Upgrade to >= 13.5.9
  • : Upgrade to >= 12.3.5

2. Temporary measures: Intercept x-middleware-subrequest in the Edge/Proxy layer

If the upgrade cannot be performed in the short term, you can be in the reverse proxy or load balancing layer (such as Nginx, Cloudflare, AWS ALB)Directly discard or rewrite x-middleware-subrequest from outside, make sure that only the real internal request header can pass. Example Nginx configuration:

proxy_set_header x-middleware-subrequest "";

Or use ACL to intercept any external request with that header. But be aware that this approach needs to beBeyond middlewarewhere implementation, otherwise it may also be bypassed.

3. Secondary verification

If you have authorization verification in the middleware, you can also detect permissions again in the API routing or page layer to avoid serious consequences due to single point bypass.

6. Timeline (Example)

  • 2025-02-27: Researchers report to the official report through GitHub private vulnerability channel
  • 2025-03-14: Official confirmation and repair
  • 2025-03-17 ~ 03-18: Repaired versions 14.2.25, 15.2.3 are released one after another
  • 2025-03-21: Officially disclose safety announcements and allocate CVE-2025-29927
  • 2025-03-22~03-23: Roll back the patch to subsequent , (13.5.9, 12.3.5)

7. Summary

Security notices began to be issued as early as 2016; as the number of users increases, the official has also continuously improved the process of vulnerability collection, patch release and community notification. This time, CVE-2025-29927 also reminds again:Key security logic should not rely solely on pre-middleware, multi-layer verification is required; framework upgrades and security notifications should be followed up in a timely manner to avoid serious impacts of similar vulnerabilities.

If your project cannot be upgraded or lacks a security policy, be sure to take temporary measures as soon as possible (such as preventing the header from being transmitted from outside) and complete the update as soon as possible. For teams that rely on permission verification or path rewriting, it is strongly recommended to conduct regular security audits and penetration tests to prevent subsequent similar risks.

Reference link

  1. Official security announcement: CVE-2025-29927
  2. ZeroPath Blog: Middleware CVE-2025-29927 Auth Bypass
  3. CVE-2025-29927
<Previous Next>