Critical Next.js Flaw Exposes Middleware, Bypassing Authorization
Vulnerability adjacent to high security is found in the Next.js React framework, with a chance for an attacker to bypass authorization checks under specific circumstances. CVE-2025-29927 has been given a CVSS score of 9.1 on a scale of 10.
The advisory from Next.js says that “Next.js employs an internal header, x-middleware-subrequest, to prevent recursive requests from causing infinite loops.”
Neglecting, it was possible to get middleware execution evaded, which therefore makes the requests critical checks just like the validation of authorization cookies. It was before making the way to designated routes.
Notably, CVE-2025-29927 only affects self-hosted installations using “next start” with the “output: standalone” configuration. Thus, Next.js applications hosted on Vercel or Netlify, or deployed as static exports, are not susceptible.
The patch has been applied in Next 12.3.5, 13.5.9, 14.2.25 and 15.2.3. If users are unable to patch, a recommendation would be to allow external requests with the x-middleware-subrequest header to be blocked from accessing the Next.js application.
Rachid Allam, also called Zhero and cold-try, a security researcher who discovered the vulnerability, has since published more technical information about the flaw and the immediate need for user uptime.
JFrog highlighted that the vulnerability allows attackers to effortlessly circumvent authorization checks performed in Next.js middleware, which could lead to unauthorized access to sensitive web pages meant for administrators or other privileged users.
The company further warned that any website utilizing middleware for user authorization without supplementary checks is susceptible to CVE-2025-29927, potentially enabling attackers to access restricted areas like admin pages.
CVE-2025-29927 affects all Next.js versions. Despite the fact that exploitation routes become slightly different with different versions, the core vulnerability remains the same. For the earlier versions, the exploit consists of a specially crafted request header whose value contains _middleware.