CVE-2025-29927: Next.js Middleware Authorization Bypass
Can Next.js middleware be bypassed?
An authorization bypass in Next.js middleware. By setting a specific internal header (x-middleware-subrequest), attackers can skip middleware execution entirely, bypassing authentication, authorization, and security checks implemented in middleware.
Impact & Exploitation
Next.js powers millions of web applications. Any app relying on middleware for auth/security is vulnerable. Enables access to protected routes, admin panels, and API endpoints.
How Precogs AI Detects Next.js Middleware Authorization Bypass
Precogs AI identifies middleware bypass patterns in compiled JavaScript applications, detecting header-based security control evasion in server-side rendering frameworks.
Precogs Research
This vulnerability intelligence report was analyzed and enriched by the Precogs AI Security Team. Our researchers continuously monitor emerging threats across AI code, LLM pipelines, and binary architectures to ensure accurate real-time remediation guidance.