A critical security flaw, CVE-2025-29927, with a CVSS score of 9.1, has been found affecting the Next.js React framework. This vulnerability lets attackers bypass middleware authorization checks and access parts of a web application that should remain restricted. To protect against this vulnerability, continue reading this Cybersecurity Threat Advisory.
What is the threat?
CVE-2025-29927 is caused by misusing the internal header ‘x-middleware-subrequest’. Attackers can exploit this header to prevent infinite request loops to bypass the middleware responsible for security checks like authentication and user access validation. By skipping these checks, attackers can gain unauthorized access to protected areas of a website.
Why is it noteworthy?
This vulnerability is easy to exploit. Middleware plays a key role in securing web applications by controlling access to sensitive areas, especially those built with Next.js. Upon successful exploitation, attackers can access admin or privileged sections of a site, posing a significant security risk.
What is the exposure or risk?
If a site relies on middleware to verify admin or logged-in user status, by exploiting this vulnerability, attackers skip verification to gain access to admin-only areas or private user data. Any site using middleware without additional security measures is vulnerable to potential compromises.
What are the recommendations?
Barracuda recommends the following actions to secure your environment:
- Update Next.js to the latest version, including 12.3.5, 13.5.9, 14.2.25, or 15.2.3.
- Block external requests, including the x-middleware-subrequest header, if immediate update is not feasible.
Reference
https://thehackernews.com/2025/03/critical-nextjs-vulnerability-allows.html
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
