
Next.js middleware plays a key role in securing applications by enforcing authentication, managing access control, and applying security headers. However, a newly discovered vulnerability, CVE-2025-29927, allows attackers to bypass these protections entirely using a manipulated HTTP header.
Affected Versions
This flaw affects the following versions:
- Next.js prior to 14.2.25
- Next.js prior to 15.2.3
The Core Issue
Next.js prevents infinite middleware loops by tracking executions using the x-middleware-subrequest
header. If this header exceeds a defined threshold (MAX_RECURSION_DEPTH
, default: 5), middleware execution stops. Attackers can exploit this by manually setting the header, tricking Next.js into skipping security checks.
Vulnerable code example:
const runtime = await getRuntimeContext(params)
const subreq = params.request.headers[`x-middleware-subrequest`]
const subrequests = typeof subreq === 'string' ? subreq.split(':') : []
const MAX_RECURSION_DEPTH = 5
const depth = subrequests.reduce(
(acc, curr) => (curr === params.name ? acc + 1 : acc),
0
)
if (depth >= MAX_RECURSION_DEPTH) {
return {
waitUntil: Promise.resolve(),
response: new runtime.context.Response(null, {
headers: {
'x-middleware-next': '1',
},
}),
}
}
Copied
By injecting a header like x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware
, attackers force Next.js to assume middleware has already executed, leading to a full security bypass.
Real-World Security Risks
This vulnerability enables various high-impact attacks:
- Authentication Bypass. Attackers can gain unauthorized access to restricted areas such as admin panels or user dashboards.
- CSP Header Bypass. Attackers can circumvent middleware-enforced security headers, causing these critical protections to disappear.
- Geographic Restrictions Bypass. Attackers can spoof their location to access content that is restricted by geographic boundaries.
Mitigation Steps
To enhance the security of your application, consider these essential steps:
- Upgrade to a Patched Version. Ensure your application is secure by upgrading to Next.js versions
15.2.3
or later, or14.2.25
or later, as these releases have addressed the identified vulnerability. - Block Malicious Headers. If an immediate update isn’t feasible, implement a temporary measure by filtering out the
x-middleware-subrequest
header at the web server level to mitigate potential risks
How Upwind Protects Against This Threat
Upwind’s Runtime Security is designed to detect and flag malicious requests attempting to exploit vulnerabilities.
Our platform offers the following capabilities:
- Live API Traffic Monitoring. Continuously monitors API traffic to detect exploitation attempts.
- AI-based Anomaly Detection. Utilizes advanced AI algorithms to identify abnormal request patterns.
- Real-Time Alerts. Notifies security teams immediately to prevent active attacks.
- Exposure Overview. Offers a detailed overview of resources running vulnerable Next.js versions, enabling teams to quickly evaluate and address potential risks.
Learn More
By leveraging Upwind’s runtime security, organizations gain enhanced visibility into exploitation attempts, allowing them to dynamically protect their applications. To learn more about how Upwind protects against vulnerabilities, schedule a demo.