Security researchers Rachid Allam and Yasser Allam found a vulnerability in the Next.js middleware that makes it trivial to bypass authorization and gain access to protected resources. The vulnerability has been fixed for Next.js 14 and higher, but there is no fix for other versions other than blocking certain incoming requests.

The vulnerability means that if an internet header x-middleware-subrequest is set to a certain value, the middleware is bypassed. Discovering that value is easily done, though it varies according to the version of Next.js. Not all Next.js applications use middleware to check authorization, but for those that do, the researchers said that “the consequences can be catastrophic.” 

The Next.js team has issued an advisory noting that “it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.” Patches have been posted for versions 14.x and 15.x, while for earlier versions the team suggested that deployments block all external requests that contain the x-middleware-subrequest header. Applications hosted on Vercel or Netlify are automatically protected.

The researchers reported the bug to the Next.js maintainers in February, believing at first that only versions between 12.0.0 and 12.0.7 were vulnerable, but a few days later updated the report to say that all versions are vulnerable. Vercel published the first fixed version (15.2.3) on March 18th, and posted a security advisory three days later. The vulnerability is assigned CVE-2025-29927 and rated as critical.

The Next.js maintainers also acknowledged that they have “missed the mark on partner communications” for security vulnerabilities, and will now open a partner mailing list to improve this in future.

Next.js middleware allows code to run before a request is completed. The vulnerability is from code that is intended to prevent recursive request from causing infinite loops. Until yesterday, the documentation stated that “some common scenarios where middleware is particularly effective include authentication and authorization” but this text has just been removed.

Elsewhere, the documentation already noted that “while middleware can be useful for initial checks, it should not be your only line of defense in protecting your data. The majority of security checks should be performed as close as possible to your data source.”

Developers have been surprised by how such an easy way to bypass the middleware has survived in the codebase for so long. “How did they miss that? wow, just check if this header exists and you can ignore the remaining middleware” said one; while another described the flaw as “beyond damning.”