Vulnerability Alert CVE-2025-29927: Next.js Middleware Authorization Bypass Vulnerability

CVE-2025-29927 – Root Cause Analysis

The vulnerability arises from a design flaw in how Next.js handles an internal header called x-middleware-subrequest. Next.js uses this header internally to mark subrequests (requests initiated by Middleware itself) in order to prevent infinite recursion loops in Middleware execution. However, the server’s logic did not distinguish between internal vs. external sources of this header. In the Next.js request processing (specifically in the runMiddleware function), the code checks for the presence of an x-middleware-subrequest header; if the header exists with a certain value, Next.js assumes the request is an internal call and skips executing the Middleware entirely.

In other words, a request tagged as a “middleware subrequest” will bypass any Middleware-defined authentication or validation and go straight to the intended route handler. Because Next.js would trust this header blindly, an attacker can exploit the behavior by sending a normal HTTP request that includes a fake x-middleware-subrequest header. By giving the header the expected value that Next.js uses for internal calls, the attacker tricks the server into not running the Middleware at all. This means critical security checks (like verifying session cookies or user roles) never happen for that request, allowing unauthorized requests to slip through and access privileged content.

CVE-2025-29927 – Patch

The Next.js team acted quickly to fix this issue once identified. The core of the patch was to change how x-middleware-subrequest is handled so that untrusted requests can no longer abuse it as a bypass switch. In the patched releases, Next.js no longer honors an x-middleware-subrequest header coming from external HTTP requests. The framework’s internal logic was updated to ensure that Middleware always runs for normal client requests—effectively eliminating the vulnerable “shortcut” code path.

Developers should upgrade to the fixed Next.js versions to fully remediate the issue. Patches were released across all affected major versions: Next.js 12.3.5, 13.5.9, 14.2.25, and 15.2.3 contain the fix for CVE-2025-29927. Applications running older versions should upgrade immediately. If upgrading is not immediately possible, a recommended mitigation is to block or strip the x-middleware-subrequest header on the edge (e.g., in a reverse proxy or load balancer) so that no external request can carry it into the Next.js application. Once updated to a patched release, the Next.js server itself will handle the header safely, and normal Middleware protections will apply to every request as intended.

Evidence of Runtime Exposure with Kodem SCA

Identifying that your application uses a vulnerable Next.js version is only the first step. Security teams also need to know if that vulnerability is actually reachable or has been triggered in their environment. This is where Kodem’s Runtime Software Composition Analysis (SCA) provides crucial insight. Kodem’s platform can detect not just the presence of a vulnerable package, but also whether the specific code associated with a CVE was ever loaded or executed during runtime.

In the case of CVE-2025-29927, Kodem Runtime SCA confirmed that the vulnerable code path was indeed invoked in a customer’s production environment. Kodem monitored the Next.js application at runtime and observed that while the application did include a vulnerable Next.js version, some processes actually called the function responsible for handling the x-middleware-subrequest logic during normal operation. In Kodem’s interface, the “Runtime Evidence” section for this issue showed that the relevant Next.js middleware routine was loaded, indicating that the skip-middleware code path was actively in use.

This evidence greatly increases the risk profile for the customer, as it demonstrates that their application is open to attack if an adversary chooses to exploit the flaw. Kodem correlates this runtime information with exact context—identifying the specific process, container image, and environment where the component is running. By leveraging runtime SCA insights, organizations can focus their patching efforts where it truly matters and have concrete evidence to verify that their applications are actively exposed to CVE-2025-29927.
‍

References

Apache Software Foundation. (2025). Security Advisory for CVE-2025-24813: Apache Tomcat Partial PUT Vulnerability.

Next.js. (2025). CVE-2025-29927: Next.js Middleware Authorization Bypass.

ZeroPath. (2025). CVE-2025-29927 Next.js Middleware Auth Bypass.

‍