The Download
A significant security flaw has been identified in Next.js, a popular React-based framework, affecting versions from 11.1.4 through 15.1.7. This vulnerability, designated as CVE-2025-29927, allows attackers to bypass middleware functions by manipulating the x-middleware-subrequest header. Middleware in Next.js is commonly used for tasks such as authentication, authorization, and request rewriting. By crafting requests with specific x-middleware-subrequest header values, attackers can effectively disable these middleware protections. This exploitation can lead to unauthorized access to restricted areas, circumvention of security policies like Content Security Policy (CSP), and potential denial-of-service (DoS) conditions through cache poisoning.
What You Can Do
To mitigate this vulnerability, IT administrators should promptly update Next.js to the latest patched versions—15.2.3 for the 15.x series and 14.2.25 for the 14.x series. For versions between 11.1.4 and 13.5.6, where direct patches may not be available, it is advisable to implement workarounds such as filtering or blocking external requests containing the x-middleware-subrequest header. Additionally, reviewing and updating middleware configurations to ensure they do not rely solely on client-supplied headers for critical security functions is essential. Regularly monitoring application logs for unusual access patterns can aid in early detection of exploitation attempts.
Use ThreatMate to monitor your attack surfaces for exploitable vulnerabilities. Sign up for a demo.
To Learn More: