Nextjs Middleware Authorization Bypass Vulnerability
漏洞信息
漏洞名称: Next.js Middleware Authorization Bypass Vulnerability
漏洞编号:
- CVE: CVE-2025-29927
漏洞类型: 权限绕过
漏洞等级: 严重
漏洞描述: Next.js是一个流行的React框架,广泛用于构建现代化的Web应用程序。它支持服务器端渲染和静态网站生成,是企业级和开发者社区中广泛使用的技术。CVE-2025-29927是一个严重的权限绕过漏洞,影响Next.js的中间件功能,该功能通常用于处理认证、访问控制和重定向等安全相关任务。漏洞的根源在于Next.js错误地处理了内部使用的x-middleware-subrequest HTTP头。攻击者可以通过在请求中手动添加此头,欺骗Next.js跳过中间件的执行,从而绕过安全检查和访问受保护的端点,如管理界面或私有API。这种漏洞的存在意味着攻击者可以在不需要认证的情况下,直接访问敏感功能或数据,可能导致数据泄露、服务中断或权限提升。由于中间件在许多Next.js应用中被用作主要的安全控制机制,此漏洞的影响范围广泛,且易于被自动化工具利用。
产品厂商: Vercel
产品名称: Next.js
影响版本: 11.1.4 <= version <= 11.x, 12.0.0 <= version <= 12.3.4, 13.0.0 <= version <= 13.5.8, 14.0.0 <= version <= 14.2.24, 15.0.0 <= version <= 15.2.2
来源: https://github.com/Kamal-Hegazi/Next.js-Middleware-Exploit-CVE-2025-29927-Authorization-Bypass
类型: CVE-2025:github search
仓库文件
- README.md
来源概述
CVE‑2025‑29927 – Next.js Middleware Authorization Bypass
Overview
CVE‑2025‑29927 is a critical vulnerability (CVSS 9.1) in Next.js that allows attackers to bypass middleware‑based security checks such as authentication, access control, and redirects.
The issue affects applications deployed with next start or standalone output and occurs due to improper handling of the internal x‑middleware‑subrequest HTTP header. By crafting requests that include this header, an attacker can trick Next.js into skipping middleware execution, leading to unauthorized access to protected endpoints (e.g., /admin).
Affected Versions
The following ranges are confirmed vulnerable:
- 11.x: from 11.1.4 up to the latest 11.x release
- 12.x: from 12.0.0 up to 12.3.4
- 13.x: from 13.0.0 up to 13.5.8
- 14.x: from 14.0.0 up to 14.2.24
- 15.x: from 15.0.0 up to 15.2.2
Root Cause – Why This Happens
Next.js uses the header x‑middleware‑subrequest internally to mark requests as subrequests initiated by middleware. This prevents infinite recursion when middleware calls endpoints that themselves invoke middleware.
However, this header was never intended to be user‑controlled. If an external client sets it manually, Next.js assumes the request is internal and skips the middleware execution entirely, resulting in a complete authorization bypass.
In Next.js 15.x, the behavior changed slightly: middleware calls are limited by a MAX_RECURSION_DEPTH of 5. But by supplying the header with 5 values, an attacker can still hit this condition and bypass the middleware.
Execution flow of the vulnerability (source: Datadog Security Labs)
Exploitation
1. Basic Bypass
For versions prior to v15, a single x‑middleware‑subrequest value is enough:
1 | |
2. Recursive‑Depth Bypass (v15.x)
For v15.x, the attacker must include the value repeated five times to hit the recursion depth limit:
1 | |
cURL PoC:
1 | |
If /admin was protected only by middleware, the attacker now gains direct access.
Impact
- Authentication & Authorization Bypass – Direct access to protected routes (
/admin,/api/private). - Cache Poisoning / DoS – Malformed or unauthorized responses may get cached, impacting other users.
- Privilege Escalation – If backend logic relies solely on middleware checks, attackers may escalate privileges.
Mitigation
1. Upgrade
Upgrade to 14.2.25, 15.2.3, or later.
2. Strip the Header
If upgrading isn’t immediately possible, strip this header at the proxy or app server:
Nginx:
1 | |
Apache:
1 | |
Express.js middleware:
1 | |
3. Add Defense‑in‑Depth
Do not rely solely on middleware for authorization—enforce access checks at the API/controller level.
Detection
- Log Analysis: Look for external requests containing the
x-middleware-subrequestheader. - WAF/IDS: Deploy updated detection rules (e.g., Snort, F5, Check Point) that block this header.
References
Takeaway
If your Next.js app uses middleware for access control and runs on next start or standalone mode — patch now. Until then, strip the x‑middleware‑subrequest header and enforce redundant authorization checks on sensitive routes.