DIVD-2025-00006 - Next.js Middleware Authorization Bypass
| Our reference | DIVD-2025-00006 |
| Case lead | Koen Schagen |
| Researcher(s) |
|
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Update to next.js software outside the effected above versions. |
| Patch status | Fully patched |
| Workaround | Block/remove 'x-middleware-subrequest'request header by proxy or WAF firewall |
| Status | Open |
| Last modified | 25 Mar 2025 12:47 CET |
Summary
CVE-2025-29927 is a critical vulnerability in Next.js that allows attackers to bypass middleware by exploiting the x-middleware-subrequest header. Updating to the latest version or stripping this header at the proxy level mitigates the risk.
What you can do
To protect against this vulnerability, update Next.js to a patched version immediately. If updating isn’t possible, strip the x-middleware-subrequest header at the proxy or web server level.
What we are doing
DIVD is currently scanning the internet for vulnerable next.js applications with the given nuclei template, as applications have different designs the scan with this template could result in false positives. Once the applications are identified we will warn the administrators of the networks they are located in.
Timeline
| Date | Description |
|---|---|
| 21 Mar 2025 | CVE-2025-29927 was publicly shared |
| 23 Mar 2025 | projectdiscovery created and shared a Nuclei template for scanning |
| 24 Mar 2025 | DIVD start testing with this Nuclei template |
| 25 Mar 2025 | Case opened |
| 25 Mar 2025 | First scan |
gantt
title DIVD-2025-00006 - Next.js Middleware Authorization Bypass
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2025-00006 - Next.js Middleware Authorization Bypass (still open) :2025-03-21, 2025-04-01
section Events
CVE-2025-29927 was publicly shared : milestone, 2025-03-21, 0d
projectdiscovery created and shared a Nuclei template for scanning : milestone, 2025-03-23, 0d
DIVD start testing with this Nuclei template : milestone, 2025-03-24, 0d
Case opened : milestone, 2025-03-25, 0d
First scan : milestone, 2025-03-25, 0d