CVE-2025-29927 — Next.js middleware bypass mass exploitation
A 9.1-CVSS Next.js middleware-bypass vulnerability was disclosed and patched on the same day. Vercel-hosted apps were patched automatically; self-hosted Next.js apps became target-of-the-week. One year later, 40% are still vulnerable.
What happened
CVE-2025-29927 let any attacker bypass any Next.js middleware — including authentication — with a single HTTP header (`x-middleware-subrequest`). Mass exploitation began within hours of disclosure. Self-hosted deployments that did not upgrade were compromised in weeks.
Timeline
Researcher reports bug privately to Vercel.
Vercel patches + discloses CVE-2025-29927.
Public exploit scripts appear within hours.
Vercel-hosted apps auto-patched; self-hosters target-of-the-week for weeks.
Root cause
Next.js used an internal header (`x-middleware-subrequest`) to prevent infinite recursion of middleware. Before the patch, accepting this header from the client caused Next.js to skip middleware entirely.
Impact
- Mass exploitation of self-hosted Next.js apps
- Estimated thousands of apps compromised
- One year later: 40% of public Next.js apps still vulnerable (per Vibe Leak Index)
Yes. The free /tools scanner tests any URL for this vulnerability in one request. As an ongoing check, Securie's Next.js specialist flags vulnerable versions in every PR.
Lessons
- Self-hosted infrastructure requires patch discipline
- CVE disclosure + public exploit = race to patch
- Vercel-hosted is safer than self-hosted for patch latency