## https://sploitus.com/exploit?id=99D42FD2-CF2C-5C07-9836-C68B5BDF2F51
# CVE-2025-29927: The Next.js Middleware Nightmare
**This repository is provided strictly for educational purposes only.**
I did not discover this vulnerability - this is a demonstration and explanation of a publicly disclosed security issue. Using this knowledge to exploit vulnerable systems without authorization is illegal and unethical.
## Here we go again...
If you're using Next.js for your production apps, **stop what you're doing and check your version number**. There's a serious middleware vulnerability that could leave your entire authentication system wide open.
This critical vulnerability has been responsibly disclosed and patched, so I'm sharing this educational demonstration to help developers understand the issue and protect their systems.
## What's the vulnerability?
- **CVE ID**: CVE-2025-29927
- **Severity**: Critical (CVSS 9.1) - This is as bad as it gets, folks
- **Disclosed**: March 21st, 2025
- **Affected**:
- Next.js 15.x before 15.2.3
- Next.js 14.x before 14.2.25
- Next.js 11.1.4 through 13.5.6 (yes, that many versions!)
## The technical breakdown
The issue lies in how Next.js handles the internal `x-middleware-subrequest` HTTP header. This header was designed to prevent middleware recursion, but attackers can manipulate it to completely bypass middleware execution.
Think about what that means - any middleware-based security is potentially ineffective:
- Auth checks? Bypassed.
- Admin-only routes? Wide open.
- Rate limiting? Nope.
- IP blocking? Ineffective.
There have been reports of this vulnerability being used in the wild to access admin panels, user data, and even financial information. Some organizations had their sensitive data exposed without even knowing it.
## Proof of Concept
This repo includes:
- A vulnerable Next.js app showing typical middleware auth
- An educational exploit script showing how the bypass works
- Multiple ways to patch your systems
## Fix it now!
### Best option: Update ASAP
- Using Next.js 15? โ Update to 15.2.3+
- On Next.js 14? โ Update to 14.2.25+
- Stuck on older versions? โ Use one of the workarounds below
### Can't update immediately? Try these:
#### Nginx way:
```nginx
# Strips the problematic header
proxy_set_header x-middleware-subrequest "";
```
#### Apache route:
```apache
# Does the same thing for Apache users
RequestHeader unset x-middleware-subrequest
```
#### Express.js approach:
```javascript
// Quick middleware fix until you can properly update
app.use((req, res, next) => {
delete req.headers['x-middleware-subrequest'];
next();
});
```
## Security lessons & useful resources
This vulnerability reinforces important security principles:
1. Stay on top of security updates
2. Never trust headers from the client
3. Implement defense in depth - don't rely solely on middleware
Check out these resources to build more secure Next.js apps:
- [Next.js Security Best Practices](https://nextjs.org/docs)
- [OWASP's Web Security Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
- [Web Application Security Best Practices](https://cheatsheetseries.owasp.org/)
This repository provides a technical explanation and demonstration of CVE-2025-29927 for educational purposes only. All information is based on publicly disclosed details that have been properly patched. If you discover security vulnerabilities in any software, always follow responsible disclosure practices:
1. Report the issue to the vendor/maintainer directly
2. Provide them reasonable time to address the issue
3. Do not publicly disclose until a patch is available
4. Never exploit vulnerabilities on systems without explicit permission
## Final thoughts
This vulnerability demonstrates how even well-designed frameworks can have critical security flaws. Stay vigilant out there, and make updating dependencies part of your regular workflow.
Feel free to reach out with questions or if you need help implementing any of these fixes!