Thursday, April 17, 2025
Follow us On Linkedin
HomeCVE/vulnerabilityCritical Next.js Middleware Vulnerability Allows Attackers to Bypass Authorization

Critical Next.js Middleware Vulnerability Allows Attackers to Bypass Authorization

CVE/vulnerabilityCyber Security NewsVulnerability

Published on

By Divya
Critical Next.js Middleware Vulnerability Allows Attackers to Bypass Authorization

Supply Chain Attack Prevention

SIEM as a Service

Follow Us on Google News

A severe vulnerability has been identified in Next.js, a popular React framework used for building web applications, under the designation CVE-2025-29927.

This critical flaw allows attackers to bypass security controls implemented by middleware, posing significant risks to authentication, authorization, and security header implementations, as per a report by Zeropath.

CVE-2025-29927: Overview

The exploit works by manipulating the x-middleware-subrequest header, enabling attackers to circumvent security checks.

- Advertisement - Google News

For older versions of Next.js (pre-12.2), the header can be constructed as follows:

x-middleware-subrequest: pages/_middleware

In more recent versions, the header requires a repetitive pattern:

x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware

For setups using the src directory, it is necessary to replace middleware with src/middleware.

Affected Products

The following table highlights the versions of Next.js that are affected by this vulnerability:

Product VersionAffected Versions
Next.js 11.x11.1.4 and later (unpatched)
Next.js 12.xUnpatched versions
Next.js 13.x13.5.6 and earlier (unpatched)
Next.js 14.xBefore 14.2.25
Next.js 15.xBefore 15.2.3

Mitigation Strategies

Users are advised to take immediate action to mitigate the risks associated with CVE-2025-29927:

  1. Update Next.js Version:
    • For those using Next.js 15.x, update to version 15.2.3 or later.
    • For those on Next.js 14.x, update to version 14.2.25 or later.
  2. Edge/Proxy Header Blocking:
    • If updating is not feasible, block the x-middleware-subrequest header at your edge or proxy level. Important: Do not attempt to block the header within the middleware itself.

By promptly implementing these measures, users can protect their applications from potential exploits of this critical vulnerability.

The discovery of CVE-2025-29927 emphasizes the importance of staying vigilant and keeping software up to date, especially for widely used frameworks like Next.js.

As always, security updates should be prioritized to safeguard against emerging threats and ensure a secure digital environment.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Cyber Attack

Ransomware Attacks Surge 126%, Targeting Consumer Goods and Services Sector

The cybersecurity landscape witnessed a dramatic escalation in ransomware attacks, marking a concerning trend...
cyber security

CrazyHunter Hacker Group Exploits Open-Source GitHub Tools to Target Organizations

A relatively new ransomware outfit known as CrazyHunter has emerged as a significant threat,...
Cyber Attack

Threat Actors Leverage Cascading Shadows Attack Chain to Evade Detection and Hinder Analysis

A sophisticated multi-layered phishing campaign was uncovered, employing a complex attack chain known as...
cyber security

Microsoft Vulnerabilities Reach Record High with Over 1,300 Reported in 2024

The 12th Edition of the Microsoft Vulnerabilities Report has revealed a significant surge in...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

Register Now

More like this

Cyber Attack

Ransomware Attacks Surge 126%, Targeting Consumer Goods and Services Sector

The cybersecurity landscape witnessed a dramatic escalation in ransomware attacks, marking a concerning trend...
cyber security

CrazyHunter Hacker Group Exploits Open-Source GitHub Tools to Target Organizations

A relatively new ransomware outfit known as CrazyHunter has emerged as a significant threat,...
Cyber Attack

Threat Actors Leverage Cascading Shadows Attack Chain to Evade Detection and Hinder Analysis

A sophisticated multi-layered phishing campaign was uncovered, employing a complex attack chain known as...

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2025 GBHackers On Security - All Rights Reserved