Serious Next.js Vulnerability Enables Attackers to Bypass Middleware Authorization Controls

A significant security exploit has been identified within the Next.js React framework, revealing a potential pathway for attackers to bypass authorization checks under specific circumstances. The vulnerability is identified as CVE-2025-29927 and has been assigned a CVSS score of 9.1, indicating its high severity.

According to an advisory from Next.js, the framework employs an internal header, x-middleware-subrequest, designed to prevent recursive requests that could lead to infinite loops. However, this mechanism has been compromised, allowing the execution of middleware to be skipped, which risks vital checks—including the validation of authorization cookies—before requests are processed.

This vulnerability particularly affects self-hosted versions utilizing “next start” in conjunction with “output: standalone.” Importantly, Next.js applications deployed on platforms like Vercel and Netlify, or those used as static exports, remain unaffected.

The security flaw has been rectified in the updated versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3. Businesses unable to implement these updates are advised to block external requests containing the x-middleware-subrequest header from reaching their Next.js applications to mitigate the risk.

Rachid Allam, a security researcher credited with the identification of this critical vulnerability, has shared further technical insights concerning the issue. This underscores the urgent need for organizations to implement fixes expediently.

JFrog has commented on the situation, emphasizing that the vulnerability permits attackers to effectively bypass authorization checks established in Next.js middleware. This could, in turn, grant unauthorized access to sensitive content meant for privileged roles such as administrators.

The threat is particularly pronounced for any website integrating middleware for user authorization without implementing supplementary checks. This setup exposes them to CVE-2025-29927, which could lead to unauthorized access to restricted resources—including admin panels.