A critical security flaw has been discovered in the popular Next.js framework, potentially impacting millions of websites and applications.
Security researchers Rachid Allam, known online as zhero, and Yasser Allam (inzo_) collaborated to uncover the flaw within the framework’s middleware functionality.
Next.js, boasting over 130,000 stars on GitHub and nearly 10 million weekly downloads, is a framework built upon React. Its extensive feature set makes it a popular choice for developers, but it also presents a broad attack surface for security researchers.
Understanding the Next.js middleware vulnerability
The vulnerability lies within how Next.js handles its middleware, a feature that allows developers to execute code before a request is completed.
Middleware is a crucial component for various functionalities, including path rewriting, server-side redirects, adding security headers like CSP, and most importantly, authentication and authorisation.
A typical example provided in the blog post illustrates this: “When a user attempts to access /dashboard/admin, their request will first go through the middleware, which will check if their session cookies are valid and grant them the necessary permissions. If so, the middleware will forward the request; otherwise, the middleware will redirect the user to a login page.”
The researchers’ breakthrough came from examining older versions of the framework. While investigating version 12.0.7, they identified a specific piece of code within the runMiddleware function.
This function, responsible for executing middleware, retrieves the value of the x-middleware-subrequest header. This header is intended to determine whether the middleware should be applied to a given request. The value of this header is split into a list using the colon (:) as a separator, and the framework then checks if this list contains the middlewareInfo.name value.
The researchers realised that by adding the x-middleware-subrequest header with a specific value to a request, they could effectively bypass the middleware entirely.
“This means that if we add the x-middleware-subrequest header with the correct value to our request, the middleware – whatever its purpose – will be completely ignored, and the request will be forwarded via NextResponse.next() and will complete its journey to its original destination without the middleware having any impact/influence on it. The header and its value act as a universal key allowing rules to be overridden.”
The crucial element was determining the correct value for this “universal key,” which depends on the middlewareInfo.name. This value, it turns out, is the path to the middleware file.
Uncovering the middleware path
In older Next.js versions (prior to 12.2), middleware files had to be named _middleware.ts and resided within the pages directory due to the exclusive use of the pages router at the time. This allowed the researchers to deduce the exact path and therefore the value for the x-middleware-subrequest header: pages/_middleware.
Their tests confirmed their suspicions. When attempting to access a protected route like /dashboard/team/admin that was configured to redirect to /dashboard, adding the header x-middleware-subrequest: pages/_middleware allowed them to bypass the redirection and access the protected page directly.
Furthermore, versions prior to 12.2 allowed for nested middleware files—each with its own execution order. This meant that for a path like /dashboard/panel/admin, there were multiple potential values for the x-middleware-subrequest header: pages/_middleware, pages/dashboard/_middleware, or pages/dashboard/panel/_middleware.
Vulnerability extends to all Next.js versions
Initially, the researchers believed the vulnerability was limited to versions prior to 13 due to changes in middleware handling. However, their continued investigation revealed a far more concerning reality.
“To our big surprise, we discovered two days after this initial discovery that all versions of next.js – starting with version 11.1.4 – were vulnerable,” Allam stated.
While the code location and exploit logic have slightly changed in newer versions, the fundamental flaw remained. Starting with version 12.2, middleware files are simply named middleware.ts and are located in the root directory or within a /src directory if one is used. This simplifies the potential values for the x-middleware-subrequest header to either middleware or src/middleware.
In the latest versions of Next.js, the logic has evolved again to prevent infinite loops. The framework now checks the depth of the x-middleware-subrequest header value against a MAX_RECURSION_DEPTH (set to 5). To bypass the middleware in these versions, the header needs to include the correct path repeated multiple times.
The researchers provided concrete examples of how this vulnerability can be exploited in real-world scenarios:
- Authorisation/rewrite bypass: By adding the malicious header, they were able to access an /admin/login endpoint that was otherwise protected by a middleware-based rewrite.
- CSP bypass: They demonstrated how the vulnerability could be used to bypass Content Security Policy (CSP) and cookie settings that were being enforced by the middleware.
- Denial-of-Service (DoS) via cache-poisoning: In certain configurations, the vulnerability could be leveraged to cause a cache-poisoning DoS attack. This could occur if a site rewrites user paths based on location and doesn’t have a resource on the root path. Bypassing the middleware would lead to a 404 error on the root, which could then be cached by a CDN to potentially render the site unusable.
Impact and remediation
“To be clear, the vulnerable element is the middleware. If it isn’t used (or at least isn’t used for sensitive purposes), there’s nothing to worry about… since bypassing the middleware won’t bypass any security mechanisms. Otherwise, the consequences can be catastrophic,” the researchers warn.
A security advisory, CVE-2025-29927, has been issued to address this critical flaw, which has been assigned a CVSS score of 9.1 out of 10.
The researchers noted that platforms like Vercel and Netlify have implemented mitigations, although Cloudflare initially rolled out a rule that has since been made opt-in due to false positives.
“This vulnerability has been present for several years in the next.js source code, evolving with the middleware and its changes over the versions,” stated Allam.
“A critical vulnerability can occur in any software, but when it affects one of the most popular frameworks, it becomes particularly dangerous and can have severe consequences for the broader ecosystem.”
The Vercel team, the developers behind Next.js, responded swiftly once fully aware of the issue. A fix was implemented and released within hours, including backports to older supported versions.
Developers using Next.js are strongly advised to update to the patched versions or implement the recommended workaround immediately.
(Photo by Scott Rodgerson)
See also: Eclipse Foundation unveils open source AI development tools
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Digital Transformation Week, IoT Tech Expo, Blockchain Expo, and AI & Big Data Expo.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
