Next.js Middleware Authorization Bypass (CVE-2025-29927)
Overview
Next.js Middleware Authorization Bypass, tracked as CVE-2025-29927, affects Next.js applications that rely on middleware for authorization checks. Next.js is a React framework for full-stack web applications, so middleware is commonly used to protect routes, enforce access control, and apply request-time security logic.
Vulnerability Overview
CVE-2025-29927 makes it possible to bypass authorization checks when those checks occur in Next.js middleware. The vulnerability is associated with how middleware subrequests are identified and handled.
The vendor advisory recommends upgrading to fixed versions. If patching is not immediately possible, external user requests containing the x-middleware-subrequest header should be prevented from reaching the Next.js application.
Impact
The vulnerability is rated Critical with a CVSS 3.1 score of 9.1. Successful exploitation can bypass middleware-based authorization and expose protected application routes or workflows.
The impact depends on how much security logic the application places in middleware. Applications that use middleware as the primary gate for dashboards, admin routes, API access, or tenant separation face the highest risk.
Vulnerability Scope
The affected ranges are Next.js 11.1.4 through before 12.3.5, 13.0.0 through before 13.5.9, 14.0.0 through before 14.2.25, and 15.0.0 through before 15.2.3. Fixed versions are 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Applications that do not rely on Next.js middleware for authorization, or that run fixed versions and filter the relevant external header where needed, are outside the intended vulnerable condition.
Lab Focus
This Hackviser lab focuses on understanding why middleware-only authorization can become fragile when framework internals are bypassed. You will practice identifying affected Next.js versions, recognizing middleware authorization boundaries, and mapping the CVE details to secure application routing design.