[2025.04 Vulnerability Report] Next.js Middleware Authentication Bypass
The vulnerability is an authentication bypass vulnerability in Next.js, which allows an attacker to bypass access control for the API by sending the request by entering the middleware path in the x-middleware-request header or entering it to satisfy the recursive condition.
The vulnerabilities were patched in Next.js versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, and AIWAF will respond by adding a pattern to detect those vulnerabilities in the April 2025 pattern update.
1. Overview
Next.js is a React framework for building full-stack web applications, and we recently analyzed CVE-2025-29927, an authentication bypass vulnerability discovered in the framework.
Source : https://thehackernews.com/2025/03/critical-nextjs-vulnerability-allows.html
2. Attack Type
CVE-2025-29927 is an authentication bypass vulnerability in web applications using the Next.js framework that allows an attacker to bypass access controls on an API that has restricted access due to mishandling of certain headers in the framework's middleware.
An attacker can bypass access control to a restricted API by sending a request by entering the path to the middleware in the x-middleware-request header of a request to the restricted API, or by satisfying a recursive condition.
This vulnerability has been found in multiple versions of the Next.js framework, with differences in attack methods between versions.
- For versions prior to 12.2, the middleware was required to exist within the pages/ folder, and there was a condition that it must start with the character _.
- Starting with version 12.2, both of the above conditions were removed, and being located within the src/ folder became the default.
- Starting with version 13.2.0, middleware or src/middleware must be repeated at least 5 times, with a recursion condition (5+) to prevent infinite loops.
Bypassing access controls by the applicable attack method Request :
GET /protected HTTP/1.1
Host: www.test.com
User-Agent: HTTPie
x-middleware-subrequest: pages/_middleware
GET /protected HTTP/1.1
Host: www.test.com
User-Agent: HTTPie
x-middleware-subrequest: middleware
GET /protected HTTP/1.1
Host: www.test.com
User-Agent: HTTPie
x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware
3. Response
Next.js has released a version-specific patch for CVE-2025-29927, so users of that framework should respond by patching to at least the specific version for each version as shown in the photo below, and our AIWAF product has responded by adding it as an April 2025 pattern update item that will be released soon.
Source : https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw
4. Conclusion
Next.js is a full-stack framework for React.js that is often used for front-end work, and as the flagship of React, many web applications are developed with it, so the impact of this vulnerability is high and should be patched to the latest version quickly.
Our AIWAF product has developed a pattern to respond to vulnerabilities in the Next.js framework, and we will continue to respond quickly to related vulnerabilities as they are discovered.
