[ad_1]
A critical vulnerability in the Next.js framework, officially disclosed on March 21, 2025, allows attackers to bypass middleware security controls through a simple header manipulation. This post summarizes what we know about CVE-2025-29927, how you can mitigate the vulnerability, and how Acunetix can help you detect and confirm your organization’s risk.
What you need to know about CVE-2025-29927
- A remote authorization bypass vulnerability identified as CVE-2025-29927 was confirmed in Next.js, one of the most popular React frameworks used to build web applications.
- The vulnerability allows attackers to completely bypass Next.js functionality in an application, including commonly used critical security functions such as authentication and authorization.
- As of March 24, 2025, Acunetix has an active security check to detect and report exploitable Next.js versions.
- The vulnerability affects the following Next.js versions:
- Next.js 11.1.4 through 13.5.6 (unpatched)
- Next.js 14.x before 14.2.25
- Next.js 15.x before 15.2.3
- Upgrading to a non-vulnerable version is the only guaranteed fix. Proxy-level WAF blocking may work temporarily but is not recommended in the long run.
Understand your Next.js middleware bypass risk
The vulnerability allows attackers to completely bypass the middleware functionality by including a specially crafted x-middleware-subrequest header in their requests. You can think of middleware as a processing chain that lets software modules inspect, modify, or reroute an HTTP request before it reaches its final code handler. It is a natural place to implement things like authentication, and one very common pattern is to have middleware redirect to a login page if no valid authentication cookie is found.
This vulnerability is particularly concerning because Next.js middleware is commonly used for critical security functions such as authentication, authorization, path rewriting, and implementing security headers. All of these can be trivially bypassed by an attacker simply by using a special HTTP header.
Are you vulnerable to the Next.js middleware bypass?
If your answer to BOTH of the following questions is “yes”, your application is vulnerable unless patched:
- Do you rely on Next.js middleware for security controls?
- Are you running a self-hosted Next.js application using
next startwithoutput: "standalone'?
Applications are particularly at risk if:
- You use middleware for authentication or authorization checks
- You rely on middleware for implementing security headers like Content Security Policy (CSP), used to define limitations on where resources are permitted to be loaded
- You use middleware for path rewriting to restrict access to certain routes
Applications hosted on Vercel or Netlify are not affected, as these platforms have implemented mitigations at their edge layers. Applications deployed as static exports (where middleware is not executed) are also not affected.
If you don’t know the details of your Next.js usage or want the ability to assess it independently, running an automated DAST tool to confirm your vulnerability is a great place to start.
How the Next.js middleware vulnerability works
Next.js middleware uses an internal header called x-middleware-subrequest to prevent recursive requests from triggering infinite loops. The security vulnerability allows an attacker to manipulate this header to trick the Next.js application into skipping middleware execution entirely.
For different versions of Next.js, the exploit works slightly differently:
- For older versions (pre-12.2):
x-middleware-subrequest: pages/_middleware - For modern versions:
x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware
(orsrc/middleware:src/middleware:src/middleware:src/middleware:src/middlewareif using thesrcdirectory)
When this header is present with the appropriate value, the middleware is completely bypassed, allowing the request to reach its original destination without any security checks or modifications that would have been applied by the middleware.
How Invicti DAST products detect CVE-2025-29927
Active detection logic (Acunetix)
Invicti’s security research team has developed a check for the Acunetix engine to detect if your applications are vulnerable to CVE-2025-29927. As of Monday, March 24, 2025, this check is live for all Acunetix Premium customers.
Here’s how the active check works step by step:
- Identify Next.js middleware usage: The check first looks for the telltale signs of Next.js middleware, specifically a 307 redirect where the response body equals the location header value. This pattern is unique to Next.js middleware redirects.
- Verify Next.js framework presence: Confirm the application is using Next.js by checking for the
x-powered-by: Next.jsheader in responses. - Test with bypass payloads: The detection mechanism tries different bypass payloads based on the potential Next.js version:
- For newer versions (13.2.0+):
middleware:middleware:middleware:middleware:middleware(and thesrcvariant) - For older versions (pre-12.2):
pages/_middleware - For intermediate versions (12.2 to 13.2.0):
middleware
- For newer versions (13.2.0+):
- Validation through contrast: To avoid false positives, the test performs multiple validation checks:
- Send a request with the potential bypass header and check if it returns a 200 OK.
- Send a control request with a slightly modified header, such as
Y-Middleware-Subrequest, to confirm it still redirects (307). - Send another request with an invalid value to confirm proper behavior.
- Repeat the successful bypass to ensure consistency.
- Confirm vulnerability: Only after all validation steps pass is the vulnerability confirmed, reducing the risk of false positives.
Passive detection through traffic analysis with dynamic SCA (Invicti)
The vulnerability is detected through passive monitoring of web traffic during a security scan without making active requests. Invicti Enterprise uses this technique with its vulnerability database to detect the flaw. This technique looks for the x-powered-by: Next.js header in responses, which confirms the application is using Next.js. The presence of the vulnerable version is further confirmed by evaluating the next.version function in the browser’s JavaScript context to extract the precise version
We then compare this value to our continuously updated database of known CVEs and network detection signatures to determine if an insecure version of Next.js has been encountered.
As of Tuesday, March 25, 2025, this check is live for all Invicti Enterprise, Invicti Standard, and Acunetix 360 customers.
Mitigation steps for CVE-2025-29927
- Update immediately:
- For Next.js 15.x: Update to ≥ 15.2.3
- For Next.js 14.x: Update to ≥ 14.2.25
- For Next.js 13.x: Update to ≥ 13.5.9
- For Next.js 12.x: Update to ≥ 12.3.5
- If updating isn’t possible immediately:
- Block the
x-middleware-subrequestheader at your edge/proxy level (not in middleware itself). - Cloudflare users can enable a Managed WAF rule that blocks this attack. Be aware that Cloudflare has changed this WAF rule to be opt-in after reports of 3rd party authentication frameworks being impacted. We suggest you focus on upgrading Next.js.
- Block the
Invicti Security would like to acknowledge Rachid Allam and Yasser Allam for their original research and writeup of their findings, as well as our internal teams that worked to turn out a check to customers within a single business day.
Our security team is continuously monitoring this situation and will update as more information becomes available.
Get the latest content on web security
in your inbox each week.
THE AUTHOR
Bogdan Calin
Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.
[ad_2]
Source link
About the author
Reliance AGM 2025: Jio IPO Timeline, New AI Subsidiary, and What It Means
Reliance Industries’ AGM has again doubled as India’s tech-policy bellwether. The biggest headline: Jio will file for an IPO in the first half of 2026, a move that could be among the largest listings on Dalal Street and a pivotal unlock of value for Reliance shareholders. In parallel, the company announced a dedicated AI subsidiary aimed at building domestic AI infrastructure and services. Reutersmint+1NDTV Profit Jio IPO: Why the timing matters Analysts have long argued that Jio’s value is partially buried within the conglomerate structure. A separate listing could surface value for a digital-and-telecom pure play with 500M+ users, deep fiber, and growing home broadband. International coverage pegs potential valuations in the eleven-digit-USD range if growth and ARPU trends hold through 2026. The listing window — H1 2026 — provides time to polish metrics, expand revenue lines (enterprise, broadband, OTT), […]
E20 Petrol in India: Green Revolution or Hidden Scam?
For the past few years, India has been pushing hard towards adopting alternative fuels and reducing its dependency on imported crude oil. One of the most talked-about initiatives is the rollout of E20 petrol, which is a blend of 80% petrol and 20% ethanol. On paper, this looks like a revolutionary step — it’s designed to reduce carbon emissions, cut down fuel imports, and boost ethanol demand that directly benefits Indian farmers. But there’s a rising question among common people: If E20 petrol contains only 80% petrol, why are we still paying the same price as regular petrol? Shouldn’t the price be lower since 20% of the mix is ethanol, which is significantly cheaper to produce compared to crude oil-based petrol? This is where many start suspecting that the promotion of E20 might not be as transparent as it seems. […]
JSON Web Token Attacks And Vulnerabilities
[ad_1] JSON Web Tokens (JWTs) are a widely used method for securely exchanging data in JSON format. Due to their ability to be digitally signed and verified, they are commonly used for authorization and authentication. However, their security depends entirely on proper implementation—when misconfigured, JWTs can introduce serious vulnerabilities. This guide explores common JWT attacks and security flaws, providing a technical deep dive into how these weaknesses can be exploited and how to mitigate them. The Structure of a JSON Web Token (JWT) A JSON Web Token (JWT) is composed of three parts: a header, payload, and signature, all encoded using Base64URLand separated by dots. The format follows this structure: HEADER.PAYLOAD.SIGNATURE Here is an example of a real JWT: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJuYW1lIjoiSm9obiBEb2UiLCJ1c2VyX25hbWUiOiJqb2huLmRvZSIsImlzX2FkbWluIjpmYWxzZX0. fSppjHFaqlNcpK1Q8VudRD84YIuhqFfA67XkLam0_aY Breaking Down the JWT Header The header contains metadata that defines the token’s properties, including: The algorithm (alg) […]
Mitigating Fragmented SQL Injection Attacks: Effective Solutions
[ad_1] This blog post breaks down Fragmented SQL Injection, a method hackers use to bypass authentication by manipulating two different input fields at the same time. Our security expert explains why single quotes matter in SQL injection attacks and how using Prepared Statements (also called Parameterized Queries) can effectively prevent these types of exploits. LEARN MORE: How to prevent SQL Injection If you ask someone how to check for an SQL injection vulnerability in a web application, their first suggestion might be to enter a single quote (‘) into an input field. If the application responds with an error, it could indicate that the input is interfering with the database query—a classic sign of SQL injection. In fact, some people even refer to SQL injection as “Single Quote Injection” because of how often this method is used to test for […]
Preventing CSRF Attacks with Anti-CSRF Tokens: Best Practices and Implementation
[ad_1] The most widely used method to prevent cross-site request forgery (CSRF) attacks is the implementation of anti-CSRF tokens. These are unique values generated by a web application and validated with each request to ensure authenticity. CSRF attacks exploit a user’s active session to execute unauthorized actions, such as redirecting them to a malicious website or accessing sensitive session data. To effectively mitigate these risks, it is essential to generate, manage, and validate CSRF tokens correctly, ensuring robust protection against unauthorized requests. What Is an Anti-CSRF Token? An anti-CSRF token (also known as a CSRF token) is a security mechanism designed to verify the legitimacy of a user’s request. It works by assigning a unique, unpredictable token to the user’s browser, which must be included in subsequent requests. This ensures that the request originates from the authenticated user and not […]
XSS Filter Evasion: How Attackers Bypass XSS Filters – And Why Filtering Alone Isn’t Enough
[ad_1] XSS filter evasion techniques allow attackers to bypass cross-site scripting (XSS) protections designed to block malicious scripts. This article explores some of the most common filter bypass strategies, explains why relying solely on filtering is ineffective, and outlines the best practices for preventing XSS attacks. Attackers have developed hundreds of methods to evade XSS filters, making it clear that filtering alone is not a foolproof defense. For an XSS attack to succeed, two conditions must be met: The application must have an XSS vulnerability that allows user-controlled input to be injected into web pages. The attacker must find a way to execute malicious JavaScript within the victim’s browser. XSS filtering aims to stop these attacks by detecting and removing suspicious code before it reaches the browser. However, because attackers continuously develop new techniques to disguise or encode their payloads, […]
Related
What Are AI Agents? The Complete Guide for 2026
🤖 Artificial Intelligence What Are AI Agents? The Complete Guide for 2026 📅 June 2026 | ⏱ 9 min read AI agents are the biggest shift in artificial intelligence since ChatGPT. Unlike chatbots that answer questions, AI agents take actions — browsing the web, writing code, sending emails, and completing multi-step tasks autonomously. In 2026, they are changing how we work forever. What Makes AI Agents Different from Chatbots A chatbot responds to what you ask. An AI agent pursues a goal. When you tell an AI agent "book me a flight to London next Tuesday under $500", it searches flight sites, compares prices, finds the best option, and presents it ready to book — all on its own. It plans, executes, checks results, and retries when something fails. How AI Agents Work Perception: The agent observes its environment — […]
18 Best AI Tools for Small Business in 2026 (Free + Paid)
💼 Small Business · AI Tools 18 Best AI Tools for Small Business in 2026 (Free + Paid — Tested & Ranked) 📅 May 31, 2026 | ⏱ 11 min read | ✍️ PostyHives Team 57% of small businesses are already using AI — and those that are saving an average of 5.6 hours every week. Here are the 18 best AI tools that will actually make a difference for your business in 2026. 🔑 Focus Keyphrase: best AI tools for small business | 📊 Search Volume: High (90K+/mo) | 💰 Keyword Difficulty: Medium | 🎯 Intent: Commercial / Informational 📋 Table of Contents Why Small Businesses Need AI Tools in 2026 Best AI Tools for Content & Writing Best AI Tools for Marketing & Social Media Best AI Tools for Customer Service Best AI Tools for Productivity & Meetings […]
AI Agents in 2026: What They Are, How They Work & Why They’ll Change Everything
🔥 Trending in 2026 AI Agents in 2026: What They Are, How They Work & Why They'll Change Everything 📅 May 31, 2026 | ⏱ 9 min read | ✍️ PostyHives Team AI agents are no longer science fiction. In 2026, they're running customer service desks, writing code, managing emails, and executing complex business workflows — autonomously. Here's everything you need to know. 📋 Table of Contents What Are AI Agents? (Simple Definition) Agentic AI vs. Chatbots: What's the Difference? How Do AI Agents Work? AI Agent Stats You Need to Know in 2026 Top AI Agent Use Cases Across Industries Best AI Agent Tools in 2026 How to Get Started with AI Agents Frequently Asked Questions What Are AI Agents? (Simple Definition) An AI agent is a software system that can autonomously perceive its environment, reason about problems, make […]
India’s Tech Roadmap: Chips, Space, and EV Ambitions by 2030
India has long been a hub for IT services, but the new ambition is hardware, space, and mobility. Speaking at the ET World Leadership Forum 2025, Prime Minister Narendra Modi laid out a 2030 vision — India as a semiconductor powerhouse, space tech innovator, and EV leader. Semiconductors: From buyers to makers India plans to establish multiple chip fabs with global partners. The focus: logic chips and memory, not just assembly. A skilled semiconductor workforce program is being rolled out. Space: Aiming higher The roadmap includes ISRO-led lunar and interplanetary missions, with private-sector participation. Space-tech startups will get funding support to commercialize launches and satellite services. India seeks to join the elite club of spacefaring nations in deep space. EV Revolution Target: 50% EV penetration by 2030 in two-wheelers and cars. Push for domestic battery gigafactories. Incentives for both consumers […]
Bharat Forecast System: How India’s New Weather Tech Could Save Lives
Weather impacts 1.3 billion lives in India — from farmers sowing crops to city dwellers braving floods. Until now, forecasts were often too broad or too late. The launch of the Bharat Forecast System (BFS) promises a revolution: hyper-local, AI-driven, 6 km resolution forecasts. Why it matters Agriculture: Farmers get accurate rainfall and drought predictions, vital for crop cycles. Disaster management: Floods, cyclones, and heatwaves can be predicted earlier, saving lives. Urban planning: Cities can prepare for flash floods, smog, or temperature surges. How it works The BFS integrates: High-resolution satellite data Machine learning models for climate prediction 6 km x 6 km grids across India, offering unprecedented local detail Benefits Farmers: Better crop planning, reduced losses. Insurance sector: More accurate risk modelling. Public safety: Early warnings for vulnerable zones. Challenges Last-mile delivery: Forecasts must reach rural communities in local […]
OnePlus 13R: Smarter with OnePlus AI and Lifetime Display Warranty
OnePlus 13R: Smarter with OnePlus AI and Lifetime Display Warranty The OnePlus 13R marks a significant leap forward in the mid-premium smartphone category, offering flagship-grade hardware, next-gen AI capabilities, and an industry-first Lifetime Display Warranty. Designed to empower productivity, creativity, and reliability, the 13R redefines what users should expect from a smartphone in 2025. 🧠 Revolutionary OnePlus AI Integration The standout feature of the OnePlus 13R is undoubtedly its deep AI integration. Unlike gimmicky software tricks, OnePlus AI genuinely enhances everyday interactions and performance through intelligent automation and contextual understanding. 🔍 Intelligent Search: Ask and You Shall Find With OnePlus AI’s Intelligent Search, the way users interact with their phones is reimagined. You can ask natural, conversational questions like: "What’s the dress code for Friday's dinner?""How much did I spend on groceries this month?" The AI scans across your calendar, […]
Be the first to leave a comment