CVE-2025-29927 one year later: 40% of Next.js apps still vulnerable
The Next.js middleware-bypass vulnerability was disclosed in March 2025 and patched within 24 hours. One year later, forty percent of public Next.js apps are still running vulnerable versions. Here is why, and the two-minute check to run on yours.
CVE-2025-29927 is arguably the single most impactful Next.js vulnerability of the last five years: a 9.1 CVSS score, an unauthenticated attacker bypassing any middleware (including auth) with one HTTP header. Vercel patched it on the same day. Datadog Security Labs published a clear disassembly of the bug the following week.
And yet.
We scanned 10,000 public Next.js apps during April 2026. 3,937 — thirty-nine percent — are still vulnerable to a one-request unauthenticated middleware bypass.
How the bug works
Next.js middleware uses an internal header, x-middleware-subrequest, to prevent infinite recursion when middleware re-invokes itself. Before the patch, receiving this header from a client was enough to tell Next.js "this is a sub-invocation, skip the middleware." An attacker who sends the header bypasses every middleware — auth, rate limiting, geo-blocking — in one call.
Why it is still live
Three reasons:
1. Self-hosted Next.js is upgrade-heavy. Vercel-hosted apps got patched instantly. Self-hosters on Docker, AWS, or K8s still run whatever version they pinned. 2. Tests for this bug are invisible. Unit tests of your middleware still pass. The bug is in the Next.js internals; your code did nothing wrong. 3. There is no default scanner. Snyk detects dependency CVEs but does not check runtime behavior. GitHub Advanced Security checks CodeQL patterns, not live URLs.
Check your app in under two minutes
The free CVE-2025-29927 scanner sends exactly one crafted request to your app and tells you whether your middleware bypass is open. It is read-only and harmless.
If you are vulnerable, the fixes in priority order:
1. Upgrade Next.js to 15.2.3, 14.2.25, 13.5.9, or 12.3.5 depending on your major version.
2. Block the header at your edge if you cannot upgrade today. On Vercel: add a rewrite that rejects x-middleware-subrequest. On Cloudflare: a single worker rule.
3. Audit every middleware-gated route for unexpected 200 responses with that header set.
Longer term
Middleware should not be your primary auth boundary. Use it for rate limiting and geo rules, but verify identity inside the route handler itself. Defense in depth means the CVE-2025-29927 class of bug degrades from "critical" to "medium" even when a fresh one ships.