Security researchers have revealed a major flaw in Next.JS React Framework. This allows middleware-based access control to be bypassed. I found it last Friday. After an unfortunate developer pushed into production (Friday, all days). Next.js is the most widely used JavaScript framework on the web.
“Next.JS uses the internal header X-Middleware-SubRequest to prevent recursive requests from triggering infinite loops,” Next.JS said in its advisory.
The world’s most popular JavaScript framework hit with a critical 9.1 security flaw
Vulnerability—CVE-2025-29927 – removes CVSS scores of 9.1 out of 10. An attacker can change the request header to skip important approval checks. The flaw is due to how NextJS handles the internal header, X-Middleware-SubRequest. This is supposed to prevent endless middleware loops.
“We were able to skip the running middleware, which allows requests to skip important checks, such as cookie validation approval, before reaching the route,” NextJS said in its advisory.
This issue affects a wide range of production apps and SaaS platforms that use middleware for gatekeeping access to authenticated or premium content. If your app says “I won’t access unless you pay,” this bug allows the attacker to respond with “Cool talk, it’s in anyway.”
Why is it important?
This is not an ambiguous bug in a rarely used library. It is located in the next JS, which is powering thousands of production apps for startups and large companies. If you are using middleware for authentication and have not yet patched it, your app may already be vulnerable.
If you are not using middleware or hosting it on a platform like Vercel or Netlify without custom logic, it may not be affected. However, self-hosted apps that use middleware to implement access control are experiencing problems.
How exploit works
The middleware is executed before the server processes the request. It is typically used for logging, error handling, and access control. However, in this case, the researchers found that by inferring the middleware name (following a predictable pattern), including the X-Middleware-SubRequest header, the attacker could bypass it completely.
Doing so will skip the access control logic in the middleware. Management page. Subscriber dashboard. Everything behind the gate will be reachable.
For apps that rely heavily on middleware to protect routes, they are easy to run and dangerous.
Nextjs exploits discovery
The defect was discovered by Rachid Allam, also known as Zhero and Cold-Try. After the public recommendation was published, he released additional technical details showing how the exploit works. This turned this into a race. The developer must apply a patch before an attacker can begin scanning the target.
JFrog Security, which also investigated the issue, stated:
“Host websites that use middleware to approve users without additional approval checks are vulnerable to CVE-2025-29927, which could allow attackers to access unauthorized resources in other ways.”
Which version is patched?
Fixes are available in these releases:
12.3.5
13.5.9
14.2.25
15.2.3
If updates are not possible immediately, Vercel recommends blocking requests that contain the X-Middleware-Subrequest header. But it’s a temporary fix and not a long-term solution.
What happened after disclosure
CloudFlare responded quickly by pressing rules to block external use of headers. However, this change has caused issues with third-party tools such as Supabase, authentication flow corruption, false positives, and more. I had to roll back the rules and opt in.
Then came the tech drama.
CloudFlare CEOs have the opportunity to promote tools that allow developers to migrate their next JS projects from Vercel to CloudFlare. pitch? “Unlike Vercel, we are actually interested in your security.”
Vercel’s CEO was not impressed. He fought back by reminding him of one of CloudFlare’s worst security incidents, Cloudbleed’s internet, calling DDOS protection “trash.” CloudFlare CEO responded with memes, and the entire exchange quickly turned into Tech Twitter confusion.
What developers are frustrating?
delay.
The vulnerability was reported on February 27th. The patch has not been patched until March 18th. For advanced bugs in one of the most popular frameworks on the internet, it’s almost three weeks.
For many developers, it wasn’t just a flaw. It was a slower response to something that was far more urgent and should be handled.
Conclusion
If your app uses middleware to control access and is unpatched, you are at risk. The exploit is authentic, easy to trigger, and is public.
Patch it now. Don’t rely solely on middleware. And they may stop shipping codes on Friday.
Source link
