CVE-2025-29927

Name of the Vulnerable Software and Affected Versions Next.js versions 1.11.4 through 12.3.4 Next.js versions 12.3.5 through 13.5.8 Next.js versions 13.5.9 through 14.2.24 Next.js versions 14.2.25 through 15.2.2

Description An issue in the handling of the x-middleware-subrequest header allows remote attackers to bypass authorization checks, session validation, and rate-limiting if these security measures are implemented within the middleware. By sending a specially crafted request containing the x-middleware-subrequest header, an attacker can trick the application into treating an unauthenticated request as one that has already passed through the necessary middleware checks. This can lead to unauthorized access to protected resources, such as admin panels and API routes. Additionally, this flaw can be used to bypass Content-Security-Policy (CSP) settings or facilitate Denial-of-Service (DoS) attacks via cache poisoning. Real-world exploitation has been observed by the threat actor group TeamPCP, who used this flaw in their PCPcat campaign to target cloud infrastructures in the e-commerce and finance sectors.

Recommendations Update Next.js to version 12.3.5. Update Next.js to version 13.5.9. Update Next.js to version 14.2.25. Update Next.js to version 15.2.3. As a temporary workaround, prevent external user requests containing the x-middleware-subrequest header from reaching the application.