What is the Vulnerability?FortiGuard Labs has identified ongoing attack attempts targeting a critical authorization bypass vulnerability (CVE-2025-29927) in the middleware system of the Next.js framework, a popular React-based framework for building full-stack web applications.The issue arises from improper handling of an internal HTTP header: x-middleware-subrequest. This header, when manipulated, can bypass middleware execution, allowing attackers to skip essential security checks such as:- Authorization cookie validation- Session validation- Enforced security headers (e.g., Content Security Policy)What is the recommended Mitigation?Apply patches or updates provided by the Next.js development team as soon as possible. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.Audit and monitor applications for unexpected use of the x-middleware-subrequest header.If patching is not feasible, it is strongly recommended to implement the following mitigation: Block all external requests containing the x-middleware-subrequest HTTP header before they reach your Next.js application. Read the full security advisory here: https://www.openwall.com/lists/oss-security/2025/03/23/3What FortiGuard Coverage is available?Intrusion Prevention System (IPS): An IPS signature is available to detect and block exploit attempts targeting Next.js Middleware Auth. Bypass (CVE-2025-29927). Intrusion Prevention | FortiGuard LabsWeb Application Security: FortiWEB has a signature available to detect and block exploit attempts targeting Next.js Middleware Auth. Bypass (CVE-2025-29927). Web Application Security | FortiGuard LabsIncident Response Service: The FortiGuard Incident Response team is available to assist with any suspected compromise.Read More
Next.js Middleware Auth.Bypass Vulnerability
by
Tags: