Understanding the Next.js Authorization Bypass Vulnerability
This content is an AI-generated summary. If you encounter any misinformation or problematic content, please report it to cyb.hub@proton.me.
A critical authorization bypass vulnerability, identified as CVE-2025-29927, was recently discovered in Next.js. This vulnerability allows attackers to bypass authorization checks in middleware, potentially exposing protected routes.
Key Points
- Vulnerability Identification: CVE-2025-29927
- Discoverers: Rachid and Yasser Allam
- Affected Versions: All versions before 14.2.25 and 15.2.3
- Exploitation Method: Adding the
x-middleware-subrequest: middlewareheader
Exploitation Details
Proof of Concept
A proof of concept (POC) is available on GitHub: CVE-2025-29927 POC
How It Works
The attacker can bypass authorization by adding the x-middleware-subrequest: middleware header to their request. This header causes the request to bypass middleware manipulation, allowing unauthorized access to protected routes.
Example Command
To access a protected route, such as /protected, an attacker can use the following curl command:
curl -H "x-middleware-subrequest: middleware" http://xx.xx.xxx.xx:3000/protected
This command allows the attacker to bypass security controls and retrieve the protected page.
Mitigation Strategies
Upgrade Recommendations
| Next.js Version | Upgrade To |
|---|---|
| 15.x | 15.2.3 |
| 14.x | 14.2.25 |
| 13.x | 13.5.9 |
| 12.x | 12.3.5 |
Workaround
If upgrading is not feasible, block HTTP requests containing the x-middleware-subrequest header from reaching your web application.
Learn More
For more detailed information and additional resources, visit: