CVE-2025-29927 - Next.js Middleware Bypass Explained In Simple Terms

The vulnerability skips Next.js middleware security checks by adding a single HTTP header

Trevor I. Lasn Trevor I. Lasn
· 2 min read
Founder & CEO of 0xinsider.com — the Bloomberg terminal for prediction markets.

Next.js middleware normally checks if users can access protected pages. It runs before your page loads and can block unauthorized visitors.

But malicious users can add a special header called x-middleware-subrequest to their HTTP requests. When they do this, Next.js skips running your middleware completely. This means all your security checks get bypassed.

Here’s what a normal request looks like:

And here’s what a malicious request looks like:

That’s it. By adding this one header, they bypass all your security checks.

What is the x-middleware-subrequest Header?

The x-middleware-subrequest header is an internal Next.js header that prevents infinite loops. When middleware calls pages that also have middleware, this header tracks the chain.

If the same middleware appears 5+ times in the chain, Next.js stops running middleware to prevent stack overflow. The header stores middleware names separated by colons.

The vulnerability exists because Next.js trusts this header in all incoming requests, not just internal ones. By adding this header with five instances of “middleware”, attackers can trick Next.js into skipping the security checks entirely.

Next.js Versions Affected

The vulnerability affects all versions of Next.js from 11.1.4 to 15.2.2. The issue was fixed in the following versions:

Version RangeStatusAction
11.1.4 to 12.3.4VulnerableUpdate to 12.3.5 or newer
13.0.0 to 13.5.8VulnerableUpdate to 13.5.9 or newer
14.0.0 to 14.2.24VulnerableUpdate to 14.2.25 or newer
15.0.0 to 15.2.2VulnerableUpdate to 15.2.3 or newer
12.3.5+PatchedNo action needed
13.5.9+PatchedNo action needed
14.2.25+PatchedNo action needed
15.2.3+PatchedNo action needed

The patched versions now validate this header properly to prevent abuse from external requests.

References

Trevor I. Lasn

Founder & CEO of 0xinsider.com — the Bloomberg terminal for prediction markets. Product engineer based in Tartu, Estonia, building and shipping for over a decade.

Found this article helpful? You might enjoy my free newsletter. I share dev tips and insights to help you grow your coding skills and advance your tech career.

Check out these related articles that might be useful for you. They cover similar topics and provide additional insights.

Webdev
3 min read

The HTML Native Search Element

The search HTML element is a container that represents the parts of the web page with search functionality

Dec 2, 2024
Read article
Webdev
5 min read

WebAssembly (Wasm): When (and When Not) to Use It

Understanding the real use cases for WebAssembly beyond the performance hype

Nov 25, 2024
Read article
Webdev
4 min read

Open Dyslexic Font: Improve Your Web Accessibility

How to implement the Open-Dyslexic font to enhance readability for users with dyslexia

Oct 12, 2024
Read article
Webdev
4 min read

CSS :interest-invoker and :interest-target Pseudo-Classes

Style connected UI elements with CSS pseudo-classes that respond to user interest. Interactive examples showing tooltips, forms, and navigation without JavaScript.

Nov 12, 2025
Read article
Webdev
7 min read

How to Land Your First Tech Job

A developer's guide to tech interviews - from someone who sits on both sides of the table

Oct 24, 2024
Read article
Webdev
3 min read

Form Validation That Doesn't Annoy Users: CSS :user-valid and :user-invalid

The new pseudo-classes :user-valid and :user-invalid give us a smarter way to style form validation states based on user interaction

Dec 12, 2024
Read article
Webdev
7 min read

Tips for Reducing Cyclomatic Complexity

Cyclomatic complexity is like counting how many ways a car can go. More options make it harder to drive because you have to make more decisions, which can lead to confusion.

Sep 10, 2024
Read article
Webdev
2 min read

link rel='modulepreload': Optimize JavaScript Module Loading

The rel='modulepreload' indicates that a module script should be fetched, parsed, and compiled preemptively, and stored for later execution

Dec 4, 2024
Read article
Webdev
4 min read

How To Implement Content Security Policy (CSP) Headers For Astro

Content Security Policy (CSP) acts like a shield against XSS attacks. These attacks are sneaky - they trick your browser into running malicious code by hiding it in content that seems trustworthy. CSP's job is to spot these tricks and shut them down, while also alerting you to any attempts it detects.

Oct 16, 2024
Read article
all articles

This article was originally published on https://www.trevorlasn.com/blog/cve-2025-29927-nextjs-middleware. It was written by a human and polished using grammar tools for clarity.