Critical Next.js Flaw Lets Attackers Bypass Authorization Controls

A newly disclosed critical vulnerability in the Next.js framework, tracked as CVE-2025-29927, allows unauthenticated attackers to bypass middleware-based authorization checks by exploiting improper handling of the x-middleware-subrequest HTTP header.

This flaw impacts all versions of Next.js that rely on this header to differentiate between internal subrequests and external traffic, risking exposure of protected routes and administrative interfaces.

Role of x-middleware-subrequest Header

Next.js uses the x-middleware-subrequest header to prevent infinite loops when middleware triggers subrequests to the server.

The middleware logic reads and parses this header to detect recursive calls, as per a report by Security Researchers.

However, because Next.js does not sufficiently distinguish between legitimate internal subrequests and malicious external requests, an attacker can set this header arbitrarily to force middleware to skip authorization checks.

Technical Mechanism of the Vulnerability

The core of the issue resides in the following code snippet within Next.js middleware execution ...