Critical Next.js Vulnerability CVE-2025-29927: What You Need to Know
by InnovaKode Team, Web Security Specialists
Critical Next.js Vulnerability CVE-2025-29927: What You Need to Know
By InnovaKode Team, Web Security Specialists | 2025-03-23
A Critical Flaw in Next.js Middleware
On March 21, 2025, a severe vulnerability, CVE-2025-29927, was disclosed in Next.js, earning a CVSS score of 9.1. This authentication bypass issue affects applications relying on Next.js middleware for security, potentially exposing protected routes to attackers.
What Happened?
The flaw allows attackers to bypass middleware authorization checks by sending a crafted request with the header x-middleware-subrequest: true. This tricks Next.js into treating the request as an internal subrequest, skipping authentication logic. If your app uses middleware as its sole security layer, you’re at risk.
Affected Versions and Fixes
- Affected: All versions before 14.2.25 (14.x) and 15.2.3 (15.x).
- Fixed In: 14.2.25 and 15.2.3, with backports to earlier supported versions.
Good news: Apps hosted on Vercel, Netlify, or Cloudflare are safe due to platform mitigations. Self-hosted setups, however, need immediate attention.
How to Protect Your App
-
Update Now: Upgrade to Next.js 14.2.25 or 15.2.3+.
npm install next@latest -
Add Layers: Don’t rely on middleware alone—validate requests in API routes or server components.
-
Audit: Check if your routes are exposed and test after patching.
Takeaway
CVE-2025-29927 is a wake-up call for Next.js developers. Security isn’t just about features—it’s about layers. Update your app, rethink your auth strategy, and stay vigilant.
