A critical security flaw in Next.js has left thousands of websites vulnerable to attack. The vulnerability, tracked as CVE-2025-29927, allows hackers to completely bypass security checks implemented through Next.js middleware by simply adding a special header to their HTTP requests. Yeah, it’s that easy. Just slip in an “x-middleware-subrequest” header and you’re in – no password required.
This isn’t some minor glitch. We’re talking about a critical vulnerability with a CVSS score of 9.1 out of 10. The flaw affects all versions from 11.1.4 through 15.2.2, which means millions of weekly downloads are potentially compromised. About 15% of React applications use Next.js, so the impact is massive.
The problem lies in the runMiddleware function, which was designed to prevent infinite loops but ended up creating a massive security hole instead. Ironic, right? When the header matches a specific value, the middleware checks are completely skipped, and requests proceed without any validation. This undermines authentication, authorization, path rewrites, and security headers. The vulnerability specifically uses the value middleware:middleware:middleware:middleware:middleware in the header to trigger this bypass.
Fortunately, not everyone is affected. Applications hosted on Vercel or Netlify, or those deployed as static exports, are off the hook. But self-hosted Next.js applications? They’re sitting ducks.
The fix is straightforward – upgrade to patched versions like 15.2.3, 14.2.25, 13.5.9, or 12.3.5. Can’t update immediately? Then block that problematic header at the web server level. Organizations should also monitor HTTP request logs for suspicious patterns and implement multiple security layers beyond middleware. Implementing Zero Trust model for security would be particularly effective, as it requires verification for every user regardless of their location or network.
The vulnerability can enable various attacks, from accessing protected routes to facilitating cross-site scripting and cache poisoning. It’s a hacker’s dream come true. Applications should implement proper HTTP-only cookies for session management rather than relying solely on middleware protection.
This flaw highlights the dangers of single-point security measures. One bypass and the whole system falls. Next.js users need to wake up and patch their installations. Now. Before someone walks through their digital front door uninvited.
