Next.js middleware plays a key role in securing applications by enforcing authentication, managing access control, and applying security headers. However, a newly discovered vulnerability, CVE-2025-29927, allows attackers to bypass these protections entirely using a manipulated HTTP header.

Affected Versions

This flaw affects the following versions:

  • Next.js prior to 14.2.25
  • Next.js prior to 15.2.3

The Core Issue

Next.js prevents infinite middleware loops by tracking executions using the x-middleware-subrequest header. If this header exceeds a defined threshold (MAX_RECURSION_DEPTH, default: 5), middleware execution stops. Attackers can exploit this by manually setting the header, tricking Next.js into skipping security checks.

Vulnerable code example:

const runtime = await getRuntimeContext(params)
const subreq = params.request.headers[`x-middleware-subrequest`]
const subrequests = typeof subreq === 'string' ? subreq.split(':') : []

const MAX_RECURSION_DEPTH = 5
const depth = subrequests.reduce(
  (acc, curr) => (curr === params.name ? acc + 1 : acc),
  0
)

if (depth >= MAX_RECURSION_DEPTH) {
  return {
    waitUntil: Promise.resolve(),
    response: new runtime.context.Response(null, {
      headers: {
        'x-middleware-next': '1',
      },
    }),
  }
}

Copied

By injecting a header like x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware, attackers force Next.js to assume middleware has already executed, leading to a full security bypass.

Real-World Security Risks

This vulnerability enables various high-impact attacks:

  1. Authentication Bypass. Attackers can gain unauthorized access to restricted areas such as admin panels or user dashboards.
  2. CSP Header Bypass. Attackers can circumvent middleware-enforced security headers, causing these critical protections to disappear.
  3. Geographic Restrictions Bypass. Attackers can spoof their location to access content that is restricted by geographic boundaries.

Mitigation Steps

To enhance the security of your application, consider these essential steps:

  1. Upgrade to a Patched Version. Ensure your application is secure by upgrading to Next.js versions 15.2.3 or later, or 14.2.25 or later, as these releases have addressed the identified vulnerability.
  2. Block Malicious Headers. If an immediate update isn’t feasible, implement a temporary measure by filtering out the x-middleware-subrequest header at the web server level to mitigate potential risks


How Upwind Protects Against This Threat

Upwind’s Runtime Security is designed to detect and flag malicious requests attempting to exploit vulnerabilities.

Our platform offers the following capabilities:

  • Live API Traffic Monitoring. Continuously monitors API traffic to detect exploitation attempts.
  • AI-based Anomaly Detection. Utilizes advanced AI algorithms to identify abnormal request patterns.
  • Real-Time Alerts. Notifies security teams immediately to prevent active attacks.
  • Exposure Overview. Offers a detailed overview of resources running vulnerable Next.js versions, enabling teams to quickly evaluate and address potential risks.

Learn More

By leveraging Upwind’s runtime security, organizations gain enhanced visibility into exploitation attempts, allowing them to dynamically protect their applications. To learn more about how Upwind protects against vulnerabilities, schedule a demo.