Critical Next.js Vulnerability (CVE-2025-29927) Allows Authentication Bypass via Header Spoofing

A critical vulnerability (CVE-2025-29927) in Next.js allows attackers to bypass middleware-based authentication by spoofing the internal x-middleware-subrequest header, enabling unauthenticated access to protected pages. The flaw affects Next.js versions prior to 15.2.3 and exploits a design flaw where the framework fails to validate the origin of the header, allowing external requests to skip middleware execution. Attackers can access sensitive endpoints like /monitoring/internal-status by sending the header with the value middleware:middleware:middleware:middleware:middleware, triggering a recursion depth threshold. The vulnerability stems from developers relying solely on middleware for authentication without additional server-side checks. Next.js 15.2.3 mitigates the issue by stripping the header from external requests. The proof-of-concept was demonstrated using the intentionally vulnerable OopsSec Store application.