What you need to know
On March 21, 2025, Vercel released a security advisory for CVE-2025-29927 in Next.js
CVE-2025-29927 is an authorization bypass vulnerability in Next.js middleware
The vulnerability affects versions:
15.x before 15.2.3
14.x before 14.2.25
13.x before 13.5.9
12.x before 12.3.5
11.x, all versions
Fastly NGWAF customers can protect themselves from this vulnerability by enabling the templated rule for CVE-2025-29927.
CVE-2025-29927 Vulnerability Details
Next.js is a popular React framework for building full-stack web applications. In Next.js, Middleware is a feature that allows you to run code before a request is processed by a route. It enables dynamic request handling, such as authorization, redirects, and response modifications, before reaching an API route or page. This vulnerability involves how Next.js decides to apply middleware to a specific request. When a request is processed, Next.js retrieves the value from the x-middleware-subrequest header and uses it to determine whether to apply middleware. When the header’s value contains a specific value (different for each vulnerable version), Next.js will skip applying any middleware and forward the request.
In short, when a request contains the x-middleware-subrequest
header and a (version-specific) value, Next.js middleware will be bypassed.
Earlier versions of Next.js are looking for the value of the middlewareInfo.name
variable to be present in the header’s value. This is simply the path where the middleware is located, but this can be different across versions and installations.
Here’s how it looks by version:
Prior to version 12.2
The middleware by default exists at
pages/_middelware.ts
so the payload ispages/_middleware
. It must be in apages/
directory in these versionsHowever, you can have nested directories with middleware, so it could be something like
pages/example/_middleware
depending on application configuration.
After version 12.2 but before version 15.x
The middleware is no longer located in the pages directory, and the underscore prefix has been removed, however, Next.js also supports a
/src
directory where the middleware file could be locatedThe payload contains either
middleware
orsrc/middleware
Version 15.x
Next.js is now checking for the
middlewareInfo.name
to be present at least 5 times in order to bypass middleware, and the/src
directory remains a possibility as wellThe payload contains either
middleware:middleware:middleware:middleware:middleware
orsrc/middleware:src/middleware:src/middleware:src/middleware:src/middleware:
For more details on the vulnerabilities and their discovery, Rachid and Yasser detail them in their post here. In addition to the authorization bypass, they also illustrate how the vulnerability can be exploited to cause a Denial of Service through cache poisoning.
Actionable recommendations
Fastly recommends updating, if possible, to the following patched versions of Next.js that fix this vulnerability:
For 15.x, fixed in 15.2.3
For 14.x, fixed in 14.2.25
For 13.x, fixed in 13.5.9
For 12.x, fixed in 12.3.5
For 11.x, there is no available patch
For Fastly NGWAF customers
If you cannot patch your version of Next.js, need time to apply the patch, or are looking for additional protections for this vulnerability, you can enable the templated rule for CVE-2025-29927. If you need additional help applying a virtual patch, please contact our security support team for assistance.