Critical Next.js Vulnerability: Authorization Bypass in Middleware
Published March 24, 2025.

What Happened
On March 21, 2025, a critical vulnerability (GHSA-f82v-jwr5-mffw/CVE-2025-29927) was disclosed in Next.js. This vulnerability allows attackers to bypass authorization checks implemented in middleware by manipulating a specific header. With a CVSS score of 9.1, this is classified as a critical security issue.
The vulnerability affects the following Next.js versions:
Next.js >= 13.0.0, < 13.5.9
Next.js >= 14.0.0, < 14.2.25
Next.js >= 15.0.0, < 15.2.3
Next.js >= 11.1.4, < 12.3.5
What Organizations Should Do
1. Update to patched versions immediately
For Next.js 15.x: Update to version 15.2.3 or later
For Next.js 14.x: Update to version 14.2.25 or later
For Next.js 13.x: Update to version 13.5.9 or later
For Next.js 12.x: Update to version 12.3.5 or later
2. If you can't update immediately:
Implement network-level filtering to block the x-middleware-subrequest header
Increase monitoring for unusual access patterns
Prioritize updating based on external exposure and data sensitivity
3. Verify and validate:
Confirm successful patch application
Test that authorization controls still function properly
Using Jit.io to Respond
Jit.io's ASPM platform provides immediate support for organizations managing this vulnerability:
Detection & Discovery:
Our SCA capabilities automatically detect vulnerable Next.js versions across your repositories
SBOM scanning identifies all instances where Next.js is used, including transitive dependencies
Our platform can quickly search for Next.js usage patterns across your codebase
Prioritization & Response:
Jit.io contextually prioritizes affected applications based on exposure and sensitivity
One-click activation of additional security controls to mitigate risk
Automated PR creation for dependency updates to patched versions
Monitoring & Validation:
Continuous monitoring confirms successful remediation
Change-based scanning ensures patches are applied and remain in place
Integration with development workflows ensures vulnerabilities are addressed during the development cycle
Deep Dive on the Issue
Vulnerability Mechanics
The vulnerability exists in the Next.js middleware implementation. Middleware in Next.js is a powerful feature used for authentication, authorization, and other security controls that execute before reaching the actual route handler.
The issue specifically involves the x-middleware-subrequest header, which is used internally by Next.js. When this header is manipulated by an attacker in a specific way, it causes the middleware security checks to be bypassed entirely, allowing unauthorized access to protected routes and resources.
Applications using middleware for critical security functions like:
Authentication verification
Role-based access control
API protection
Request validation
Custom security headers
are particularly at risk if they haven't implemented additional security layers beyond the middleware.
Attack Surface & Impact
The vulnerability presents a significant risk because:
Middleware-based authorization is a common pattern in Next.js applications
The vulnerability requires minimal technical knowledge to exploit
There are no obvious signs of exploitation in standard logs
It potentially provides direct access to protected resources
Applications with the following characteristics are most at risk:
External/internet-facing deployments
Applications handling sensitive data
Systems with middleware as the primary security control
Applications with administrative interfaces protected by middleware
Mitigations if You Can't Patch
If immediate patching is not feasible, implement the following mitigations:
Network-Level Filtering
Block any external requests containing the x-middleware-subrequest header:
For Nginx:
# Add to server or location block
if ($http_x_middleware_subrequest) {
return 403 "Forbidden";
}
For Apache:
# In .htaccess or httpd.conf
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP:x-middleware-subrequest} .+
RewriteRule .* - [F,L]
</IfModule>
For AWS WAF:
{
"Name": "Block-Middleware-Bypass",
"Priority": 10,
"Action": {
"Block": {}
},
"Statement": {
"ByteMatchStatement": {
"SearchString": "x-middleware-subrequest",
"FieldToMatch": {
"Headers": {
"MatchPattern": {
"All": {}
}
}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "LOWERCASE"
}
],
"PositionalConstraint": "CONTAINS"
}},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "NextJsMiddlewareBypassAttempt"
}
}
Additional Defense-in-Depth Measures
- Implement secondary authorization checks: Add authorization logic in API routes and page components, not just middleware
- Use multi-factor security controls: Combine session validation with other verification mechanism
- Increase monitoring: Watch for unusual access patterns or unauthorized resource access
- Tighten network access controls: Restrict access to sensitive routes by IP or network where possible
Special Notes
Next.js deployments hosted on Vercel are automatically protected via their firewall implementation
This mitigation should be viewed as temporary while preparing for a proper update
For organizations looking for assistance in managing this vulnerability, Jit.io's security team is available to help. Visit jit.io to learn more about our ASPM platform and how it can strengthen your security posture against similar vulnerabilities.