NextJS security flaw: Critical 9.1 vulnerability lets attackers bypass authentication via middleware

Security researchers have uncovered a major flaw in the Next.js React framework that makes it possible to bypass middleware-based access control. The discovery came last Friday—right after an unlucky developer pushed to production (on a Friday, of all days). Next.js is the most widely used JavaScript framework on the web.

“Next.js uses an internal header x-middleware-subrequest to prevent recursive requests from triggering infinite loops,” Next.js said in an advisory.

The World’s Most Popular JavaScript Framework Hit with Critical 9.1 Security Flaw

The vulnerability—CVE-2025-29927—carries a CVSS score of 9.1 out of 10. It lets attackers skip critical authorization checks by modifying a request header. The flaw stems from how NextJS handles an internal header, x-middleware-subrequest, which is supposed to prevent infinite middleware loops.

“It was possible to skip running middleware, which could allow requests to skip critical checks—such as authorization cookie validation—before reaching routes,” NextJS said in its advisory.

The issue affects a wide range of production apps and SaaS platforms that use middleware to gatekeep access to authenticated or premium content. If your app says, “No access unless you’ve paid,” this bug lets attackers respond with: “Cool story, I’m going in anyway.”

Why it matters

This isn’t some obscure bug in a rarely used library. It’s in NextJS, which powers thousands of production apps for startups and large enterprises alike. If you’re using middleware for authentication and haven’t patched yet, your app could already be vulnerable.

If you’re not using middleware—or you’re hosting on platforms like Vercel or Netlify without custom logic—you’re likely unaffected. But self-hosted apps using middleware to enforce access control are in trouble.

How The Exploit Works

Middleware runs before your server handles a request. It’s typically used for logging, error handling, and access control. But in this case, researchers discovered that by including the x-middleware-subrequest header and guessing the middleware name (which follows predictable patterns), attackers can bypass it altogether.

Once they do that, any access control logic inside the middleware gets skipped. Admin pages. Subscriber dashboards. Anything behind a gate becomes reachable.

It’s easy to execute and dangerous for apps that rely heavily on middleware for protecting routes.

NextJS Exploit Discovery

The flaw was discovered by Rachid Allam, also known as zhero and cold-try. After the public advisory went live, he published additional technical details showing how the exploit works. That’s turned this into a race—developers need to patch before attackers start scanning for targets.

JFrog Security, which also examined the issue, said:

“Any host website that utilizes middleware to authorize users without any additional authorization checks is vulnerable to CVE-2025-29927, potentially enabling attackers to access otherwise unauthorized resources.”

What Versions Are Patched?

The fix is available in these releases:

• 12.3.5

• 13.5.9

• 14.2.25

• 15.2.3

If updating isn’t possible right away, Vercel recommends blocking requests that include the x-middleware-subrequest header. But that’s a temporary fix, not a long-term solution.

What Happened After Disclosure

Cloudflare responded quickly by pushing a rule to block external use of the header. However, the change caused problems with third-party tools like Supabase, breaking authentication flows and triggering false positives. The rule had to be rolled back and made opt-in.

Then came the tech drama.

Cloudflare’s CEO took the opportunity to promote a tool that lets developers migrate their NextJS projects from Vercel to Cloudflare. The pitch? “Unlike Vercel, we actually care about your security.”

Vercel’s CEO wasn’t impressed. He fired back by reminding the internet of Cloudbleed, one of Cloudflare’s worst security incidents, and called their DDoS protection “trash.” Cloudflare’s CEO responded with a meme, and the whole exchange quickly turned into tech Twitter chaos.

What’s frustrating developers

The delay.

The vulnerability was reported on February 27. It wasn’t patched until March 18. That’s nearly three weeks for a high-severity bug in one of the most popular frameworks on the internet.

For many developers, it wasn’t just the flaw—it was the slow response to something that should have been treated with much more urgency.

Bottom line

If your app uses middleware to control access and you haven’t patched, you’re at risk. The exploit is real, easy to trigger, and public.

Patch now. Don’t rely on middleware alone. And maybe stop shipping code on Fridays.