CVE-2025-29927 — Next.js middleware authentication bypass
An unauthenticated attacker can bypass any Next.js middleware — including authentication — by sending a single HTTP header. Affects all self-hosted Next.js applications below the patched versions.
- Next.js < 15.2.3
- Next.js 14 < 14.2.25
- Next.js 13 < 13.5.9
- Next.js 12 < 12.3.5
What an attacker does
The attacker sets the `x-middleware-subrequest` header on an HTTP request to any route in your app. Before the patch, Next.js interpreted this header as 'this request is an internal sub-invocation, skip middleware.' Result: every request that should have been gated by your auth middleware goes straight to the route handler.
How to detect
Send one crafted request yourself: `curl -H "x-middleware-subrequest: src/middleware" https://your-app/admin` (replace with any middleware-gated route). If the response is the protected page instead of a redirect, you're vulnerable. Also: `grep -r 'next' package.json` for your version. Request Securie access at /scan for automated continuous detection.
How to fix
Upgrade Next.js to 15.2.3, 14.2.25, 13.5.9, or 12.3.5 depending on your major version. No code changes required.
Workaround if you cannot upgrade today
Block the `x-middleware-subrequest` header at your edge / CDN / reverse proxy until you can upgrade. On Vercel, add a header-match rewrite that drops the request.
CVE-2025-29927How Securie catches CVE-2025-29927
Securie's Next.js specialist runs this probe on every covered deploy. Request access at /scan to route your repo to public OSS verification or a managed private plan.