Listen to this Post

Many systems using Next.js software have vulnerabilities. This exploit is very simple and easy to exploit and needs to be fixed urgently in vulnerable systems.
Affected Versions:
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application if the authorization check occurs in middleware.
Official Patches:
Vercel, the company behind Next.js, has released patches for the vulnerability:
– For Next.js 15.x, the issue is fixed in version 15.2.3
– For Next.js 14.x, the issue is fixed in version 14.2.25
– For Next.js versions 11.1.4 through 13.5.6, users are advised to implement the workaround described below.
CVSS 3.x Severity and Vector Strings:
- Base Score: 9.1 CRITICAL
- Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N`
Method of Exploitation:
Example Exploit Request:
GET /admin HTTP/1.1 Host: vulnerable-site.com x-middleware-subrequest:middleware:middleware:middleware:middleware:middleware
References:
You Should Know:
- How to Check if Your Next.js Version is Vulnerable
Run the following command in your project directory:
npm list next
If the version falls within the affected range, upgrade immediately.
2. Manual Workaround (For Unpatched Versions)
Modify your middleware to explicitly reject unexpected `x-middleware-subrequest` headers:
// middleware.js
export function middleware(request) {
if (request.headers.get('x-middleware-subrequest')) {
return new Response('Unauthorized', { status: 403 });
}
// Rest of your auth logic
}
3. Upgrading Next.js
To upgrade to the latest secure version:
npm install next@latest
Or for a specific fixed version:
npm install [email protected]
4. Testing for the Vulnerability
Use cURL to test if your middleware is vulnerable:
curl -H "x-middleware-subrequest: bypass" http://yoursite.com/admin
If you get a 403, the fix is working. If you get a 200, you’re still vulnerable.
5. Monitoring & Logging Suspicious Requests
Add logging in `middleware.js` to detect exploit attempts:
export function middleware(request) {
if (request.headers.get('x-middleware-subrequest')) {
console.warn('Possible exploit attempt:', request.url);
return new Response('Blocked', { status: 403 });
}
}
6. Automated Scanning with Nmap
Check exposed endpoints for misconfigurations:
nmap -p 80,443 --script http-security-headers yoursite.com
- Linux Firewall Rule to Block Exploit Patterns
Add an iptables rule to block repeated `x-middleware-subrequest` headers:iptables -A INPUT -p tcp --dport 80 -m string --string "x-middleware-subrequest" --algo bm -j DROP
What Undercode Say:
This vulnerability highlights the risks of improper middleware authorization checks in modern web frameworks. Immediate patching is critical, but defensive coding practices—such as strict header validation—should be standard.
Expected Output:
- A 403 Forbidden response when testing with
x-middleware-subrequest. - No unauthorized access to protected routes after applying patches.
- Logs showing blocked exploit attempts.
Prediction:
- Attackers will quickly weaponize this CVE due to its simplicity.
- Unpatched systems will see increased scanning and exploitation attempts within weeks.
- Future Next.js updates will enforce stricter middleware security by default.
References:
Reported By: La Pyae – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


