Your Next.js Auth Middleware Was Decorative This Whole Time
Set one HTTP header and skip all middleware. Authentication, authorization, rate limiting, all of it. CVE-2025-29927. Confirmed exploitation in the wild. If you run Next.js, update now.
#One HTTP header. That's all it took to bypass your entire auth layer.
Next.js uses middleware to enforce authentication across your application. Login required? Middleware checks the session. Admin-only page? Middleware checks the role. Rate limiting? Middleware counts requests. It's the standard pattern. Millions of applications use it.
CVE-2025-29927 (CVSS 9.1): Next.js uses an internal header called x-middleware-subrequest to prevent middleware from running in infinite loops. The problem? External requests carrying this header were trusted without validation. Any client could set it. Any browser extension. Any curl command. Any attacker.
Set the header. Middleware doesn't run. Authentication skipped. Authorization skipped. Rate limiting skipped. Every protected route in your application is now public.
This was originally disclosed in March 2025. It wasn't fully fixed until the May 2026 coordinated release. Confirmed exploitation in the wild.
And that's not all. The May 2026 release addressed roughly a dozen issues across Next.js and React Server Components, including DoS vulnerabilities (CVE-2026-23870, CVE-2026-23864, CVE-2026-23869) that cause memory and CPU exhaustion via crafted requests, plus SSRF and cache poisoning in edge/CDN deployments.
#Why this is a big deal.
Next.js is the most popular React framework. It powers a massive share of modern web applications. E-commerce stores, SaaS dashboards, client portals, admin panels, internal tools. A lot of those applications use middleware as their primary authentication mechanism.
If your application relied on Next.js middleware for auth and you were running any version from 13.x through 16.x before the patch, every authenticated route was accessible to anyone who knew to set one HTTP header.
That's not a subtle bypass. That's the front door being unlocked and the sign saying "come in."
#What to do.
1. Update to Next.js 15.5.18 or 16.2.6. This is the fix. Do it now.
2. On self-hosted deployments, strip the header at the reverse proxy. If you run Next.js behind Nginx, Caddy, or any reverse proxy, configure it to strip or reject any incoming request carrying x-middleware-subrequest. This is defense-in-depth in case future middleware issues surface.
For Nginx:
`
proxy_set_header x-middleware-subrequest "";
`
3. Don't rely solely on middleware for security-critical checks. Middleware is convenient. It's also a single point of failure. For critical operations (payment processing, data access, admin functions), verify authentication and authorization at the API route/handler level too. Belt and suspenders.
4. If you run a Next.js application in production, audit your access logs for requests containing the x-middleware-subrequest header from external sources. If you see them, someone may have already exploited this against your application.
#Further reading
- NVD: CVE-2025-29927 - middleware bypass details
- Vercel May 2026 Security Release - full list of fixes
- ProjectDiscovery Analysis - exploitation details
- Next.js Security Documentation - proper auth patterns