CVE-2025-29927 | NextJs | AB
| Vulnerability | CVE-2025-29927 |
|---|---|
| Vulnerability | CVE-2025-29927 |
| Description | CVE-2025-29927 is a critical authorization bypass vulnerability in the Next.js framework. The flaw arises from improper validation of the internal-use HTTP header x-middleware-subrequest.By injecting this header into HTTP requests, attackers can trick middleware into treating the request as internal, allowing them to bypass authentication and access protected resources without logging in. |
| Affected Systems | The following versions of Next.js are vulnerable: - Next.js 11: 11.1.4 and later - Next.js 12: All versions prior to 12.3.5 - Next.js 13: All versions prior to 13.5.9 - Next.js 14: All versions prior to 14.2.25 - Next.js 15: All versions prior to 15.2.3 |
| Attack Vector | To exploit this vulnerability: - The application must use middleware for access control or authentication. - Middleware logic must not validate or sanitize the x-middleware-subrequest header.- An attacker forges this header in a crafted HTTP request to a protected route. - Middleware treats the request as trusted/internal and skips access control. |
| Exploitation Techniques | - Header Injection: Injecting the x-middleware-subrequest header into HTTP requests.- Middleware Trust Abuse: Exploiting misconfigured or overly permissive trust logic in middleware. - JavaScript Reconnaissance: Inspecting client-side code to discover sensitive endpoints like /events/create.- Automated Mass Testing: Using tools like Shodan, Nuclei, or Fofa to identify and scan targets. |
| Proof of Concept (PoC) | 1. Version Discoverybash<br>nuclei -t nuclei-templates/http/cves/2025/CVE-2025-29927.yaml<br>2. Exploiting the Bypass with Curl bash<br>curl -H "x-middleware-subrequest: middleware:middleware:middleware" https://target.com/dashboard<br>3. Exploiting with Burp Suite - Intercept a request to a protected route (e.g., /events) - Add the header: x-middleware-subrequest: middleware- Forward the request and observe access without a… |
| The Impact of the Bug | - Unauthorized access to protected resources without valid authentication. - Potential privilege escalation, including access to admin-level features. - Application takeover through exposed internal or sensitive endpoints. - Breach of tenant isolation in multi-tenant applications. - Exploitation of middleware logic flaws for full session bypass. |
| How to Detect Infections | - Log Analysis: Monitor access logs for external requests containing the x-middleware-subrequest header. - Middleware Flow Audit: Ensure access control is not skipped based on request headers. - Session Validation: Check for missing or invalid session tokens where access was granted. - Endpoint Recon Detection: Review logs for access to hidden or non-linked routes like /events/create. |
| Mitigation Steps | - Upgrade to a patched version of Next.js: - 12.3.5 or later - 13.5.9 or later - 14.2.25 or later - 15.2.3 or later - Block or sanitize the header in middleware: js<br>if (request.headers.get("x-middleware-subrequest")) {<br> return new Response("Blocked", { status: 403 });<br>}<br>- Harden Middleware Logic: - Explicitly validate sessions and roles on the server. - Do not rely on header presence for access control decisions.<br… |
| Workarounds | - Strip or reject the x-middleware-subrequest header from external client requests. - Restrict access to privileged routes by IP, VPN, or auth tokens. - Monitor real-time access to high-risk endpoints and alert on anomalies. |
| References | - https://vercel.com/blog/postmortem-on-next-js-middleware-bypass - https://jfrog.com/blog/cve-2025-29927-next-js-authorization-bypass/ - https://censys.com/advisory/cve-2025-29927 |