Authorisation bypass vulnerability in Next.js web development framework (CVE-2025-29927)
CVE number = CVE-2025-29927
Next.js uses an internal header x-middleware-subrequest to prevent recursive requests from triggering infinite loops.
The security report showed it was possible to skip running Middleware, which could allow requests to skip critical checks—such as authorization cookie validation—before reaching routes.
Affected
- Self-hosted Next.js applications using Middleware (
next startwith output:standalone) - This affects you if you rely on Middleware for auth or security checks, which are not then validated later in your application.
- Applications using Cloudflare can turn on a Managed WAF rule
Not affected
- Applications hosted on Vercel
- Applications hosted on Netlify
- Applications deployed as static exports (Middleware not executed)
Next.js version 15.2.3 has been released to address this security vulnerability.
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.