Up to date

Published Apr 6, 2025

2 min read

Trevor I. Lasn

Building skillcraft.ai yourwebsitedeservesbetter.com and blamesteve.lol

CVE-2025-29927 - Next.js Middleware Bypass Explained In Simple Terms

The vulnerability skips Next.js middleware security checks by adding a single HTTP header

Next.js middleware normally checks if users can access protected pages. It runs before your page loads and can block unauthorized visitors.

But malicious users can add a special header called x-middleware-subrequest to their HTTP requests. When they do this, Next.js skips running your middleware completely. This means all your security checks get bypassed.

Here’s what a normal request looks like:

And here’s what a malicious request looks like:

That’s it. By adding this one header, they bypass all your security checks.

What is the x-middleware-subrequest Header?

The x-middleware-subrequest header is an internal Next.js header that prevents infinite loops. When middleware calls pages that also have middleware, this header tracks the chain.

If the same middleware appears 5+ times in the chain, Next.js stops running middleware to prevent stack overflow. The header stores middleware names separated by colons.

The vulnerability exists because Next.js trusts this header in all incoming requests, not just internal ones. By adding this header with five instances of “middleware”, attackers can trick Next.js into skipping the security checks entirely.

Next.js Versions Affected

The vulnerability affects all versions of Next.js from 11.1.4 to 15.2.2. The issue was fixed in the following versions:

Version Range	Status	Action
11.1.4 to 12.3.4	Vulnerable	Update to 12.3.5 or newer
13.0.0 to 13.5.8	Vulnerable	Update to 13.5.9 or newer
14.0.0 to 14.2.24	Vulnerable	Update to 14.2.25 or newer
15.0.0 to 15.2.2	Vulnerable	Update to 15.2.3 or newer
12.3.5+	Patched	No action needed
13.5.9+	Patched	No action needed
14.2.25+	Patched	No action needed
15.2.3+	Patched	No action needed

The patched versions now validate this header properly to prevent abuse from external requests.

References

https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw

Found this article helpful? You might enjoy my free newsletter. I share dev tips and insights to help you grow your coding skills and advance your tech career.

Check out these related articles that might be useful for you. They cover similar topics and provide additional insights.

Webdev

3 min read

HTML Details Element: The Native Accordion You're Not Using

Discover how the HTML details element can replace your JavaScript accordions and why it might be better than your current solution

Robust Data Fetching Architecture For Complex React/Next.js Apps

How I use the 'Three Layers of Data' architecture pattern for React and Next.js apps to avoid common pitfalls, tech debt, and improve performance

WebAssembly (Wasm): When (and When Not) to Use It

Understanding the real use cases for WebAssembly beyond the performance hype

Remove Unnecessary NPM Packages with eslint-plugin-depend

We don't need packages to handle basic JavaScript tasks

Add Auth to Astro 5 with Clerk in 5 Minutes

The simplest setup for adding Clerk authentication to your Astro project, with minimal code

Invisible columns in SQL

It’s a small feature, but it can make a big difference.

Open Dyslexic Font: Improve Your Web Accessibility

How to implement the Open-Dyslexic font to enhance readability for users with dyslexia

10 Essential Terminal Commands Every Developer Should Know

List of useful Unix terminal commands to boost your productivity. Here are some of my favorites.

Micro Frontends: The LEGO Approach to Web Development

Explore the concept of micro frontends in web development, understand their benefits, and learn when this architectural approach is most effective for building scalable applications.

Oct 2, 2024

Read article

all articles

This article was originally published on https://www.trevorlasn.com/blog/cve-2025-29927-nextjs-middleware. It was written by a human and polished using grammar tools for clarity.