Next.js Critical Middleware Vulnerability (CVE-2025-29927) Explained

The Next.js team has disclosed a severe security vulnerability affecting self-hosted Next.js applications using Middleware. Tracked as CVE-2025-29927, this exploit carries a CVSS severity of 9.1—posing a major risk to projects relying on Middleware for authorization and security checks.

What Caused the Vulnerability?

Next.js uses an internal header x-middleware-subrequest to prevent recursive requests in Middleware. The vulnerability allowed attackers to skip Middleware execution entirely by crafting requests that bypassed this internal check.

The result?

• Critical checks like authorization cookies were skipped
• Attackers could directly access protected routes without authentication
• Real risk of privilege escalation or data exposure

Who is Affected?

Impacted:

• Self-hosted Next.js apps
• Running next start with output: 'standalone'
• Middleware-based authentication or security flows

Not Affected:

• Apps hosted on Vercel or Netlify
• Static exports (Middleware skipped)

Timeline of the Incident

Patched Versions

What Should You Do Now?

If you’re self-hosting and rely on Middleware:

• Upgrade immediately to the correct patched version
• If patching isn’t possible, block requests with the x-middleware-subrequest header
• Cloudflare users: Enable WAF rules

Next.js Security Takeaways

CVE-2025-29927 shows how complex SSR and Middleware flows can introduce serious risks.

The Next.js team has issued 16 security advisories since 2016, but this one stands out due to:

• Impact on core auth and security
• Simple bypass with a header
• Broad scope of affected versions

Final Thoughts

Modern frameworks are powerful but increase your attack surface. Always stay updated and monitor advisories like this one.