CVE-2025-29927: Authorization Bypass in Next.js Middleware

[Alan Coopersmith <alan.coopersmith () oracle com>]

https://nextjs.org/blog/cve-2025-29927 announces:

> Next.js version 15.2.3 has been released to address a security vulnerability
> (CVE-2025-29927). Additionally, backported patches are available.
>
> We recommend that all self-hosted Next.js deployments using "next start" and
> "output: 'standalone'" should update immediately.
>
> Continue reading for more details on the CVE.
>
> Timeline
>
>     2025-02-27T06:03Z: Disclosure to Next.js team via GitHub private
>                        vulnerability reporting
>     2025-03-14T17:13Z: Next.js team started triaging the report
>     2025-03-14T19:08Z: Patch pushed for Next.js 15.x
>     2025-03-14T19:26Z: Patch pushed for Next.js 14.x
>     2025-03-17T22:44Z: Next.js 14.2.25 released
>     2025-03-18T00:23Z: Next.js 15.2.3 released
>     2025-03-18T18:03Z: CVE-2025-29927 issued by GitHub
>     2025-03-21T10:17Z: Security Advisory published
>     2025-03-22T21:21Z: Next.js 13.5.9 released
>     2025-03-23T06:44Z: Next.js 12.3.5 released
>
> Vulnerability details
>
> Next.js uses an internal header "x-middleware-subrequest" to prevent recursive
> requests from triggering infinite loops. The security report showed it was
> possible to skip running Middleware, which could allow requests to skip
> critical checks—such as authorization cookie validation—before reaching routes.
>
> Impact scope
>
>   Affected
>
>     Self-hosted Next.js applications using Middleware ("next start" with
>      "output: 'standalone'")
>     This affects you if you rely on Middleware for auth or security checks,
>      which are not then validated later in your application.
>     Applications using Cloudflare can turn on a Managed WAF rule
>
>   Not affected
>
>     Applications hosted on Vercel
>     Applications hosted on Netlify
>     Applications deployed as static exports (Middleware not executed)
>
> Patched versions
>
>     For Next.js 15.x, this issue is fixed in 15.2.3
>     For Next.js 14.x, this issue is fixed in 14.2.25
>     For Next.js 13.x, this issue is fixed in 13.5.9
>     For Next.js 12.x, this issue is fixed in 12.3.5
>
> If patching to a safe version is infeasible, it is recommended that you prevent
> external user requests which contain the "x-middleware-subrequest" header from
> reaching your Next.js application.
>
> Our security responsibility
>
> Next.js has published 16 security advisories since 2016. Over time, we've
> continued to improve how we gather, patch, and disclose vulnerabilities.
>
> GitHub Security Advisories and CVEs are industry-standard approaches to
> notifying users, vendors, and companies of vulnerabilities in software.
> While we have published a CVE, we missed the mark on partner communications.
>
> To help us more proactively work with partners depending on Next.js, and other
> infrastructure providers, we are opening a partner mailing list. Please reach
> out to partners () nextjs org to be included.


https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw adds:

> Credits
>
>     Allam Rachid (zhero;)
>     Allam Yasser (inzo_)



--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris