A newly discovered security flaw (CVE-2025-29927) in Next.js has raised alarms across the developer community, exposing a critical weakness in the framework’s middleware system. This vulnerability, rated 9.1 on the CVSS scale, enables attackers to bypass authentication and authorization checks with a single manipulated HTTP header—potentially compromising countless applications built on one of React’s most widely adopted full-stack frameworks.

How the Exploit Works (CVE-2025-29927)

By injecting a specially crafted x-middleware-subrequest header, attackers can circumvent Next.js middleware entirely—neutralizing security measures like login verification, geo-blocking, and rate limiting. The flaw impacts self-hosted applications running versions 11.1.4 through 15.2.2, though apps deployed via Vercel or Netlify remain unaffected.

Why is this vulnerability so dangerous?

With over 10 million weekly downloads, Next.js underpins critical applications in finance, healthcare, and even decentralized Web3 platforms. The framework’s middleware, often relied upon as the first line of defense, was found to silently fail when attackers inject a malicious x-middleware-subrequest header. This bypass requires no authentication, exploiting a trust boundary that developers assumed was secure.

Three Critical Implications

1. No authentication requried Middleware security checks—authentication, rate limits, geo-blocking are rendered ineffective without triggering errors, leaving any intrusion undetected.

2. Scale of exposure: Versions 11.1.4 through 15.2.2 are affected, spanning years of deployments.

3. Exploit simplicity: Attackers need only a single HTTP header to access protected routes, risking data leaks or API abuse.

The flaw’s CVSS 9.1 rating reflects its low-complexity exploitation and high-impact outcomes, from credential theft to cache poisoning.

Urgent Mitigations

Developers are advised to immediately:

• Upgrade to any patched Next.js versions beyond 15.2.2

• Audit middleware logic for unexpected bypasses

• Monitor traffic for anomalous header patterns

With Next.js powering platforms like TikTok, Netflix, and Uber, this vulnerability underscores the risks of overlooked edge cases in this widely used framework.