Understanding Next.js’s middleware vulnerability

A critical authentication bypass vulnerability, identified as CVE-2025-29927, affects Next.js versions 11.1.4 through early 15.x, allowing attackers to bypass middleware-based security checks by exploiting the x-middleware-subrequest header. Though managed hosting platforms like Vercel and static sites were safeguarded, self-hosted applications relying on middleware for access control are particularly vulnerable. The issue, which permits unauthorized access to protected routes, can be mitigated by upgrading to patched versions 13.5.6, 14.2.24, or 15.2.2 and above, or by implementing additional security checks directly within protected routes for those unable to upgrade immediately. The vulnerability, discovered by researchers zhero and inzo, underscores the importance of regular software updates and cautious reliance on HTTP headers for security purposes, as these are susceptible to manipulation. Next.js developers and app owners are encouraged to take proactive measures to protect their applications from potential exploitation, particularly as unauthorized access could result in exposure of sensitive data, leading to compliance issues and reputational damage.