Nextjs Middleware Authorization Bypass Vulnerability
漏洞信息
漏洞名称: Next.js Middleware Authorization Bypass Vulnerability
漏洞编号:
- CVE: CVE-2025-29927
漏洞类型: 权限绕过
漏洞等级: 严重
漏洞描述: 受影响产品: Next.js是一个流行的React框架,用于构建服务器渲染和静态生成的Web应用程序。它广泛应用于企业级服务和现代Web应用开发中,支持多种部署模式,包括next start和独立输出模式。由于其灵活性和强大的功能,Next.js在开发者社区中非常受欢迎。
漏洞解释: 该漏洞属于权限绕过类型,技术根源在于Next.js对内部HTTP头x‑middleware‑subrequest的不当处理。攻击者可以通过构造包含此头的请求,欺骗Next.js跳过中间件执行,从而绕过基于中间件的安全检查,如认证、访问控制和重定向。这一漏洞特别危险,因为它允许攻击者直接访问受保护的端点(如/admin),而无需任何认证。
影响分析: 此漏洞带来的安全风险极为严重,攻击者可以利用它进行认证和授权绕过,直接访问敏感路由。此外,还可能引发缓存污染或服务拒绝(DoS)攻击,影响其他用户的正常使用。在某些情况下,如果后端逻辑仅依赖中间件进行检查,攻击者还可能实现权限提升。值得注意的是,此漏洞无需认证即可被利用,且可以自动化攻击,极大地增加了其潜在危害。
产品厂商: Vercel
产品名称: Next.js
影响版本: 11.1.4 < version <= 11.x latest, 12.0.0 < version <= 12.3.4, 13.0.0 < version <= 13.5.8, 14.0.0 < version <= 14.2.24, 15.0.0 < version <= 15.2.2
来源: https://github.com/Kamal-Hegazi/CVE-2025-29927-Next.js-Middleware-Authorization-Bypass
类型: CVE-2025:github search
仓库文件
- README.md
来源概述
CVE‑2025‑29927 – Next.js Middleware Authorization Bypass
Overview
CVE‑2025‑29927 is a critical vulnerability (CVSS 9.1) in Next.js that allows attackers to bypass middleware‑based security checks such as authentication, access control, and redirects.
The issue affects applications deployed with next start or standalone output and occurs due to improper handling of the internal x‑middleware‑subrequest HTTP header. By crafting requests that include this header, an attacker can trick Next.js into skipping middleware execution, leading to unauthorized access to protected endpoints (e.g., /admin).
Affected Versions
The following ranges are confirmed vulnerable:
- 11.x: from 11.1.4 up to the latest 11.x release
- 12.x: from 12.0.0 up to 12.3.4
- 13.x: from 13.0.0 up to 13.5.8
- 14.x: from 14.0.0 up to 14.2.24
- 15.x: from 15.0.0 up to 15.2.2
Root Cause – Why This Happens
Next.js uses the header x‑middleware‑subrequest internally to mark requests as subrequests initiated by middleware. This prevents infinite recursion when middleware calls endpoints that themselves invoke middleware.
However, this header was never intended to be user‑controlled. If an external client sets it manually, Next.js assumes the request is internal and skips the middleware execution entirely, resulting in a complete authorization bypass.
In Next.js 15.x, the behavior changed slightly: middleware calls are limited by a MAX_RECURSION_DEPTH of 5. But by supplying the header with 5 values, an attacker can still hit this condition and bypass the middleware.
Execution flow of the vulnerability (source: Datadog Security Labs)
Exploitation
1. Basic Bypass
For versions prior to v15, a single x‑middleware‑subrequest value is enough:
1 | |
2. Recursive‑Depth Bypass (v15.x)
For v15.x, the attacker must include the value repeated five times to hit the recursion depth limit:
1 | |
cURL PoC:
1 | |
If /admin was protected only by middleware, the attacker now gains direct access.
Impact
- Authentication & Authorization Bypass – Direct access to protected routes (
/admin,/api/private). - Cache Poisoning / DoS – Malformed or unauthorized responses may get cached, impacting other users.
- Privilege Escalation – If backend logic relies solely on middleware checks, attackers may escalate privileges.
Mitigation
1. Upgrade
Upgrade to 14.2.25, 15.2.3, or later.
2. Strip the Header
If upgrading isn’t immediately possible, strip this header at the proxy or app server:
Nginx:
1 | |
Apache:
1 | |
Express.js middleware:
1 | |
3. Add Defense‑in‑Depth
Do not rely solely on middleware for authorization—enforce access checks at the API/controller level.
Detection
- Log Analysis: Look for external requests containing the
x-middleware-subrequestheader. - WAF/IDS: Deploy updated detection rules (e.g., Snort, F5, Check Point) that block this header.
References
Takeaway
If your Next.js app uses middleware for access control and runs on next start or standalone mode — patch now. Until then, strip the x‑middleware‑subrequest header and enforce redundant authorization checks on sensitive routes.