CVE-2025-29927

Name of the Vulnerable Software and Affected Versions Next.js versions 1.11.4 through 12.3.4 Next.js versions 12.3.5 through 13.5.8 Next.js versions 13.5.9 through 14.2.24 Next.js versions 14.2.25 through 15.2.2 Next.js versions 15.2.3 and earlier

Description An issue in the handling of the x-middleware-subrequest header allows remote attackers to bypass authorization checks, session validation, and rate-limiting if these security measures are implemented within the middleware. By injecting a specially crafted x-middleware-subrequest header, an attacker can trick the application into treating an unauthenticated request as one that has already passed through the necessary middleware checks. This can lead to unauthorized access to protected resources, such as admin panels and API routes. Additionally, this flaw can be used to bypass Content-Security-Policy (CSP) headers or facilitate Denial-of-Service (DoS) attacks via cache poisoning. Real-world exploitation has been observed by the TeamPCP hacking group, which used this flaw to deploy cryptominers in cloud environments.

Recommendations Update Next.js to version 12.3.5 or newer. Update Next.js to version 13.5.9 or newer. Update Next.js to version 14.2.25 or newer. Update Next.js to version 15.2.3 or newer. As a temporary workaround, prevent external user requests containing the x-middleware-subrequest header from reaching the application. Implement authorization checks at the route level in addition to middleware to provide defense-in-depth.