Listen to this Post
A severe vulnerability (CVE-2025-29927) has been discovered in Next.js, allowing attackers to bypass ALL authentication checks in middleware. This affects SaaS platforms using Next.js with middleware-based auth logic.
Exploit Details:
- Attackers can skip middleware execution by sending a `x-middleware-subrequest` header with the middleware’s name.
- Middleware names are easily guessable (e.g.,
auth,middleware.ts). - Cloudflare and Vercel initially clashed over mitigation, with Cloudflare attempting (and failing) to block the exploit.
Affected Systems:
- Next.js applications using middleware for authentication.
- Deployments on Vercel, Cloudflare, and other platforms.
Patch Status:
- A patch is available, but it took 3 weeks to release.
- Immediate update recommended.
You Should Know: How to Mitigate & Test
1. Update Next.js Immediately
npm update next
or
yarn upgrade next
### **2. Verify Middleware Security**
Check if your middleware is vulnerable by testing with:
curl -H "x-middleware-subrequest: auth" http://your-nextjs-app.com/protected-route
If the request bypasses auth, **you are vulnerable**.
### **3. Rename Middleware Files**
Avoid common names like `middleware.ts` or auth.ts. Use unpredictable names:
// Rename to something unique
export { default } from "~/lib/secureValidationMiddleware";
### **4. Implement Additional Security Layers**
- Rate Limiting (using
next-rate-limiter):npm install next-rate-limiter
- IP Blocking (via Cloudflare/Vercel edge functions).
### **5. Log Suspicious Requests**
Add logging in `middleware.ts`:
export function middleware(req: NextRequest) {
if (req.headers.get('x-middleware-subrequest')) {
console.warn('Possible exploit attempt:', req.url);
return new Response('Blocked', { status: 403 });
}
}
### **6. Use Cloudflare/Vercel Rules (Temporary Fix)**
- Cloudflare Workers: Block `x-middleware-subrequest` headers.
- Vercel Edge Config: Restrict middleware execution paths.
## **What Undercode Say**
This vulnerability highlights the risks of relying solely on middleware for authentication. Always:
– Use multi-layered security (JWT + Cookies + IP checks).
– Audit middleware logic regularly.
– Monitor headers for exploit attempts.
### **Linux & Windows Commands for Security Checks**
<h1>Check running Next.js processes (Linux)</h1>
ps aux | grep next
<h1>Kill vulnerable Next.js instances</h1>
pkill -f "next start"
<h1>Windows equivalent (PowerShell)</h1>
Get-Process | Where-Object { $_.Name -like "*next*" } | Stop-Process -Force
<h1>Log analysis (Linux)</h1>
grep -i "x-middleware-subrequest" /var/log/nginx/access.log
<h1>Block suspicious IPs (Linux)</h1>
iptables -A INPUT -s <ATTACKER_IP> -j DROP
## **Expected Output**:
- Next.js apps should reject requests with
x-middleware-subrequest. - Logs should record exploit attempts.
- Middleware should enforce strict naming conventions.
Stay secure! 🔒
References:
Reported By: Kostastsale %F0%9D%97%94%F0%9D%97%AF%F0%9D%98%80%F0%9D%97%BC%F0%9D%97%B9%F0%9D%98%82%F0%9D%98%81%F0%9D%97%B2%F0%9D%97%B9%F0%9D%98%86 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
