CVE-2025-29927: Authorization Bypass in Next.js

What you need to know

• On March 21, 2025, Vercel released a security advisory for CVE-2025-29927 in Next.js

• CVE-2025-29927 is an authorization bypass vulnerability in Next.js middleware

• The vulnerability affects versions:

  • 15.x before 15.2.3

  • 14.x before 14.2.25

  • 13.x before 13.5.9

  • 12.x before 12.3.5

  • 11.x, all versions

Fastly NGWAF customers can protect themselves from this vulnerability by enabling the templated rule for CVE-2025-29927.

CVE-2025-29927 Vulnerability Details

Next.js is a popular React framework for building full-stack web applications. In Next.js, Middleware is a feature that allows you to run code before a request is processed by a route. It enables dynamic request handling, such as authorization, redirects, and response modifications, before reaching an API route or page. This vulnerability involves how Next.js decides to apply middleware to a specific request. When a request is processed, Next.js retrieves the value from the x-middleware-subrequest header and uses it to determine whether to apply middleware. When the header’s value contains a specific value (different for each vulnerable version), Next.js will skip applying any middleware and forward the request.

In short, when a request contains the x-middleware-subrequest header and a (version-specific) value, Next.js middleware will be bypassed.

Earlier versions of Next.js are looking for the value of the middlewareInfo.name variable to be present in the header’s value. This is simply the path where the middleware is located, but this can be different across versions and installations.

Here’s how it looks by version:

• Prior to version 12.2

  • The middleware by default exists at pages/_middelware.ts so the payload is pages/_middleware. It must be in a pages/ directory in these versions

  • However, you can have nested directories with middleware, so it could be something like pages/example/_middleware depending on application configuration.

• After version 12.2 but before version 15.x

  • The middleware is no longer located in the pages directory, and the underscore prefix  has been removed, however, Next.js also supports a /src directory where the middleware file could be located

  • The payload contains either middleware or src/middleware

• Version 15.x

  • Next.js is now checking for the middlewareInfo.name to be present at least 5 times in order to bypass middleware, and the /src directory remains a possibility as well

  • The payload contains either middleware:middleware:middleware:middleware:middleware or src/middleware:src/middleware:src/middleware:src/middleware:src/middleware:

For more details on the vulnerabilities and their discovery, Rachid and Yasser detail them in their post here. In addition to the authorization bypass, they also illustrate how the vulnerability can be exploited to cause a Denial of Service through cache poisoning.

Actionable recommendations

Fastly recommends updating, if possible, to the following patched versions of Next.js that fix this vulnerability:

• For 15.x, fixed in 15.2.3

• For 14.x, fixed in 14.2.25

• For 13.x, fixed in 13.5.9

• For 12.x, fixed in 12.3.5

• For 11.x, there is no available patch

For Fastly NGWAF customers

If you cannot patch your version of Next.js, need time to apply the patch, or are looking for additional protections for this vulnerability, you can enable the templated rule for CVE-2025-29927. If you need additional help applying a virtual patch, please contact our security support team for assistance.

References

• Next.js Security Advisory

• Rachid & Yasser’s research