CVE-2025-29927 Scanner

Next.js is a popular React framework used by developers to build server-side rendered and static web applications. It is widely adopted for creating dynamic websites and applications due to its performance optimization features and ease of use. Companies and developers across industries rely on Next.js for building scalable and secure web solutions. The middleware functionality in Next.js is critical for implementing security controls, routing, and other application logic.

The vulnerability identified in Next.js involves a middleware bypass that allows attackers to circumvent security controls by exploiting a specially crafted header, 'x-middleware-subrequest.' This bypass can lead to unauthorized access to protected resources and compromise the integrity of the application’s security mechanisms.

Technically, the vulnerability stems from improper handling of the 'x-middleware-subrequest' header within middleware logic, enabling attackers to bypass authorization checks. The affected versions include 11.1.4 through 15.2.2, where this flaw can be exploited by sending malicious requests containing the crafted header.

If exploited, this vulnerability could result in severe consequences such as unauthorized access to sensitive data, disruption of application functionality, or circumvention of critical security controls like authentication and authorization mechanisms.

REFERENCES

• https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware
• https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw
• https://slcyber.io/assetnote-security-research-center/doing-the-due-diligence-analysing-the-next-js-middleware-bypass-cve-2025-29927/