CVE-2025-29927 is a critical vulnerability in the Next.js web framework that allows attackers to bypass authentication and authorisation.
This middleware authorisation bypass vulnerability allows attackers to remove authentication and access restrictions on websites built using the Next.js framework, including e-commerce sites and SaaS applications.
The bypass works by adding a specific HTTP header into the request, which then skips middleware processing and allows the user to access protected routes.
The vulnerability was discovered by Rachid and Yasser Allam and affects all versions of Next.js prior to 14.2.25 and 15.2.3.
It can be detected by monitoring request logs and network traffic for signs of the ‘x-middleware-subrequest’ header.
Temporary solutions include blocking requests that contain this header at the web server level, whilst Next.js users should update to a patched version as soon as possible.
Developers are also urged not to rely solely on middleware for authentication and to implement additional checks.