Attackers Can Bypass Middleware Auth Checks by Exploiting Critical Next.js Flaw

A critical vulnerability in the Next.js React framework has been identified that can be exploited to bypass authorization checks under certain conditions. This security flaw, tracked as CVE-2025-29927 (CVSS score of 9.1), was addressed with the release of versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3 by Next.js maintainers.

According to an advisory from Next.js maintainers, "Next.js version 15.2.3 has been released to address a security vulnerability (CVE-2025-29927). Additionally, backported patches are available." They also recommend that all self-hosted Next.js deployments using `next start` and output: `'standalone'` should update immediately.

Authorization checks in Next.js middleware can be bypassed, potentially allowing unauthorized access to a website or application. This is possible because the authorization check occurs within the middleware, making it vulnerable to exploitation.

Maintainers of Next.js also provide a workaround for those who cannot patch their deployment immediately. They recommend blocking external requests with the `x-middleware-subrequest` header to protect the Next.js application.

Researchers Allam Rachid (zhero) and Allam Yasser (inzo_) reported this vulnerability and published technical details about the issue. Cybersecurity firm JFrog warned that websites using middleware for user authorization without additional checks are exposed to hacking.

Next.js users with middleware.ts or _middleware.ts files, or those using certain npm packages, are at risk. Any host website that utilizes Middleware to authorize users without any additional authorization checks is also vulnerable. This means that if the file `middleware.ts` or `_middleware.ts` exists in their deployment, it indicates that a Middleware is present, but not necessarily configured securely.

It's essential for Next.js users to take immediate action and update their deployments to the latest version to ensure the security of their applications. Regularly reviewing and updating middleware configurations can also help prevent such vulnerabilities.

Stay informed about the latest security threats by following us on Twitter (@securityaffairs), Facebook, and Mastodon (SecurityAffairs – hacking, Next.js React framework).

Technical Details:

  • CVE-2025-29927: Critical vulnerability in Next.js React framework.
  • CVSS score: 9.1.
  • Fixed versions: 12.3.5, 13.5.9, 14.2.25, and 15.2.3.

Risks and Mitigation:

  • Risk: Authorization checks can be bypassed in Next.js middleware.
  • Mitigation: Block external requests with the `x-middleware-subrequest` header.
  • Rewarding users who report vulnerabilities like this one to help improve security.