CVE-2025-29927 - Next.js Middleware Bypass Explained In Simple Terms

The vulnerability skips Next.js middleware security checks by adding a single HTTP header

Trevor I. Lasn Trevor I. Lasn
· 2 min read
Building 0xinsider.com — see who's winning across prediction markets (Polymarket, Kalshi, and more) — and what they're trading right now.

Next.js middleware normally checks if users can access protected pages. It runs before your page loads and can block unauthorized visitors.

But malicious users can add a special header called x-middleware-subrequest to their HTTP requests. When they do this, Next.js skips running your middleware completely. This means all your security checks get bypassed.

Here’s what a normal request looks like:

And here’s what a malicious request looks like:

That’s it. By adding this one header, they bypass all your security checks.

What is the x-middleware-subrequest Header?

The x-middleware-subrequest header is an internal Next.js header that prevents infinite loops. When middleware calls pages that also have middleware, this header tracks the chain.

If the same middleware appears 5+ times in the chain, Next.js stops running middleware to prevent stack overflow. The header stores middleware names separated by colons.

The vulnerability exists because Next.js trusts this header in all incoming requests, not just internal ones. By adding this header with five instances of “middleware”, attackers can trick Next.js into skipping the security checks entirely.

Next.js Versions Affected

The vulnerability affects all versions of Next.js from 11.1.4 to 15.2.2. The issue was fixed in the following versions:

Version RangeStatusAction
11.1.4 to 12.3.4VulnerableUpdate to 12.3.5 or newer
13.0.0 to 13.5.8VulnerableUpdate to 13.5.9 or newer
14.0.0 to 14.2.24VulnerableUpdate to 14.2.25 or newer
15.0.0 to 15.2.2VulnerableUpdate to 15.2.3 or newer
12.3.5+PatchedNo action needed
13.5.9+PatchedNo action needed
14.2.25+PatchedNo action needed
15.2.3+PatchedNo action needed

The patched versions now validate this header properly to prevent abuse from external requests.

References

Trevor I. Lasn

Building 0xinsider.com — see who's winning across prediction markets (Polymarket, Kalshi, and more) — and what they're trading right now. Product engineer based in Tartu, Estonia, building and shipping for over a decade.

Found this article helpful? You might enjoy my free newsletter. I share dev tips and insights to help you grow your coding skills and advance your tech career.

Related Articles

Check out these related articles that might be useful for you. They cover similar topics and provide additional insights.

Webdev
14 min read

AEO and GEO for AI Overviews, ChatGPT, Claude, Gemini, and Perplexity

What Answer Engine Optimization and Generative Engine Optimization mean, and how to get your site cited by AI Overviews, ChatGPT, Claude, Perplexity, and Gemini.

May 17, 2026
Read article
Webdev
13 min read

10 Essential Terminal Commands Every Developer Should Know

List of useful Unix terminal commands to boost your productivity. Here are some of my favorites.

Aug 21, 2024
Read article
Webdev
8 min read

Become a Web Developer in 180 Days

A comprehensive roadmap to becoming a proficient web developer

Oct 29, 2019
Read article
Webdev
5 min read

WebAssembly (Wasm): When (and When Not) to Use It

Understanding the real use cases for WebAssembly beyond the performance hype

Nov 25, 2024
Read article
Webdev
5 min read

Add Auth to Astro 5 with Clerk in 5 Minutes

The simplest setup for adding Clerk authentication to your Astro project, with minimal code

Dec 18, 2024
Read article
Webdev
3 min read

NPQ: Open source CLI tool that audits and protects your npm installs from malicious packages

A CLI tool that checks packages for security issues and social engineering attacks before they hit your project

Jul 26, 2025
Read article
Webdev
4 min read

Understanding Vue's Suspense

How the Suspense component manages async dependencies and improves loading states in Vue apps

Aug 23, 2024
Read article
Webdev
4 min read

Explicit is better than implicit

Clarity is key: being explicit makes your code more readable and maintainable.

Sep 4, 2024
Read article
Webdev
3 min read

align-content: The Simplest Way to Center Content with CSS

Finally, we can center things in block layouts without flexbox gymnastics

Dec 13, 2024
Read article
all articles

This article was originally published on https://www.trevorlasn.com/blog/cve-2025-29927-nextjs-middleware. It was written by a human and polished using grammar tools for clarity.