A Vulnerability in Next.js Grants Access to Protected Resources
A critical vulnerability has been discovered in Next.js applications, allowing attackers to bypass authorization checks. The issue affects versions 11.1.4 through 13.5.6, as well as early releases of the 14.x and 15.x branches.
The vulnerability, tracked as CVE-2025-29927 (CVSS score: 9.1), is related to improper handling of the x-middleware-subrequest header within middleware. If an application relies on middleware for authorization, an attacker can craft a specially formatted request to bypass all access checks.
Key Risks and Exploitation
- No privileges required – The attack does not require authentication or prior access.
- No user interaction needed – The exploit works automatically.
- Remote execution – The attack is performed over the network.
- Potential data leaks – Sensitive information may be exposed.
- Integrity risks – Attackers could modify protected resources.
Patch and Mitigation
- Fixed in version 15.2.3
- Version 14.x is secured with update 14.2.25
- No patches for versions 11.1.4 – 13.5.6 → The recommended workaround is to block external HTTP requests containing the x-middleware-subrequest header at the proxy or firewall level.
Applications deployed via Vercel are NOT affected due to platform-specific security measures. However, all other users should take immediate action by updating to a secure version or implementing request filtering.
The flaw is classified as an Access Control Violation (CWE-285). While it does not directly enable a Denial-of-Service (DoS) attack, the risk of unauthorized access to protected resources makes this a critical security issue.