By Cyber Guard Team 
A critical security vulnerability (CVE-2025-29927) identified in Next.js, a popular React framework for building full-stack web applications. Disclosed on March 21, 2025, this flaw allows attackers to bypass authorization checks implemented within Next.js middleware, potentially granting unauthorized access to restricted areas of a web application, such as admin panels.
Affected Versions:
The vulnerability impacts the following Next.js versions:
- Next.js 15.x: Versions from 15.0.0 up to and including 15.2.2.
- Next.js 14.x: Versions from 14.0.0 up to and including 14.2.24.
- Earlier Versions: Versions from 11.1.4 up to and including 13.5.6.
Impact:
This vulnerability arises from how Next.js middleware handles requests with the x-middleware-subrequest HTTP header. Attackers can exploit this by crafting requests with specific values for this header, causing the middleware to skip authorization checks. This can lead to unauthorized access to sensitive parts of the application.
Mitigation:
To address this vulnerability, the Next.js team released the following patched versions:
- Next.js 15.2.3
- Next.js 14.2.25
It is strongly recommended that all users of affected versions upgrade to these patched versions immediately to secure their applications.
If immediate upgrading is not feasible, consider implementing the following temporary measures:
Block Malicious Headers: Configure your web server to reject requests containing the x-middleware-subrequest header. For example, in NGINX, you can add:
location / {
proxy_set_header x-middleware-subrequest “”;
}
In Apache, use:
RequestHeader unset x-middleware-subrequest
Review Middleware Implementations: Ensure that critical authorization checks are not solely dependent on Next.js middleware. Implement additional server-side security measures to reinforce access controls.
Register Now