Vanta Logo
SPONSOR
Automate SOC 2 & ISO 27001 compliance with Vanta. Get $1,000 off.
Up to date
Published
2 min read

Trevor I. Lasn

Staff Software Engineer, Engineering Manager

CVE-2025-29927 - Next.js Middleware Bypass Explained In Simple Terms

The vulnerability skips Next.js middleware security checks by adding a single HTTP header

Next.js middleware normally checks if users can access protected pages. It runs before your page loads and can block unauthorized visitors.

But malicious users can add a special header called x-middleware-subrequest to their HTTP requests. When they do this, Next.js skips running your middleware completely. This means all your security checks get bypassed.

Here’s what a normal request looks like:

And here’s what a malicious request looks like:

That’s it. By adding this one header, they bypass all your security checks.

What is the x-middleware-subrequest Header?

The x-middleware-subrequest header is an internal Next.js header that prevents infinite loops. When middleware calls pages that also have middleware, this header tracks the chain.

If the same middleware appears 5+ times in the chain, Next.js stops running middleware to prevent stack overflow. The header stores middleware names separated by colons.

The vulnerability exists because Next.js trusts this header in all incoming requests, not just internal ones. By adding this header with five instances of “middleware”, attackers can trick Next.js into skipping the security checks entirely.

Next.js Versions Affected

The vulnerability affects all versions of Next.js from 11.1.4 to 15.2.2. The issue was fixed in the following versions:

Version RangeStatusAction
11.1.4 to 12.3.4VulnerableUpdate to 12.3.5 or newer
13.0.0 to 13.5.8VulnerableUpdate to 13.5.9 or newer
14.0.0 to 14.2.24VulnerableUpdate to 14.2.25 or newer
15.0.0 to 15.2.2VulnerableUpdate to 15.2.3 or newer
12.3.5+PatchedNo action needed
13.5.9+PatchedNo action needed
14.2.25+PatchedNo action needed
15.2.3+PatchedNo action needed

The patched versions now validate this header properly to prevent abuse from external requests.

References

If you found this article helpful, you might enjoy my free newsletter. I share developer tips and insights to help you grow your skills and career.


More Articles You Might Enjoy

If you enjoyed this article, you might find these related pieces interesting as well. If you like what I have to say, please check out the sponsors who are supporting me. Much appreciated!

Webdev
4 min read

Understanding Vue's Suspense

How the Suspense component manages async dependencies and improves loading states in Vue apps

Aug 23, 2024
Read article
Webdev
13 min read

10 Essential Terminal Commands Every Developer Should Know

List of useful Unix terminal commands to boost your productivity. Here are some of my favorites.

Aug 21, 2024
Read article
Webdev
5 min read

WebAssembly (Wasm): When (and When Not) to Use It

Understanding the real use cases for WebAssembly beyond the performance hype

Nov 25, 2024
Read article
Webdev
3 min read

The HTML Native Search Element

The search HTML element is a container that represents the parts of the web page with search functionality

Dec 2, 2024
Read article
Webdev
4 min read

LH and RLH: The CSS Units That Make Vertical Spacing Easy

Exploring new CSS line-height units that eliminate guesswork from vertical rhythm

Dec 3, 2024
Read article
Webdev
4 min read

HTTP CONNECT: Building Secure Tunnels Through Proxies

Understand how HTTP CONNECT enables HTTPS traffic through proxies

Nov 28, 2024
Read article
Webdev
7 min read

How to Land Your First Tech Job

A developer's guide to tech interviews - from someone who sits on both sides of the table

Oct 24, 2024
Read article
Webdev
4 min read

Remove Unnecessary NPM Packages with eslint-plugin-depend

We don't need packages to handle basic JavaScript tasks

Aug 13, 2024
Read article
Webdev
4 min read

The What, Why, and How of Using a Skeleton Loading Screen

Skeleton loading screens enhance user experience and make your app feel faster

Nov 12, 2020
Read article

Become a better engineer

Here are engineering resources I've personally vetted and use. They focus on skills you'll actually need to build and scale real projects - the kind of experience that gets you hired or promoted.

Many companies have a fixed annual stipend per engineer (e.g. $2,000) for use towards learning resources. If your company offers this stipend, you can forward them your invoices directly for reimbursement. By using my affiliate links, you support my work and get a discount at the same!


This article was originally published on https://www.trevorlasn.com/blog/cve-2025-29927-nextjs-middleware. It was written by a human and polished using grammar tools for clarity.