CVE-2025-29927 — Next.js middleware authentication bypass
An unauthenticated attacker can bypass any Next.js middleware — including authentication — by sending a single HTTP header. Affects all self-hosted Next.js applications below the patched versions.
- Next.js < 15.2.3
- Next.js 14 < 14.2.25
- Next.js 13 < 13.5.9
- Next.js 12 < 12.3.5
What an attacker does
The attacker sets the `x-middleware-subrequest` header on an HTTP request to any route in your app. Before the patch, Next.js interpreted this header as 'this request is an internal sub-invocation, skip middleware.' Result: every request that should have been gated by your auth middleware goes straight to the route handler.
How to detect
Use the free CVE-2025-29927 scanner at /tools — it sends one crafted request and tells you whether you are vulnerable. Also: `grep -r 'next' package.json` for your version.
How to fix
Upgrade Next.js to 15.2.3, 14.2.25, 13.5.9, or 12.3.5 depending on your major version. No code changes required.
Workaround if you cannot upgrade today
Block the `x-middleware-subrequest` header at your edge / CDN / reverse proxy until you can upgrade. On Vercel, add a header-match rewrite that drops the request.
Securie's Next.js specialist runs this probe on every deploy. Free during early access — install the GitHub App or Vercel Integration.