WAF Rule for Next.js CVE-2025-29927 - Authentication Bypass (2025)

Next.js just disclosed a critical authentication bypass vulnerability that affects almost all versions. This is serious stuff - it could allow attackers to bypass your authentication regardless of which auth provider you're using.

The root of CVE-2025-29927 lies in how Next.js middleware processes the x-middleware-subrequest header. If an attacker crafts a request with this header set to specific values (like middleware, src/middleware, or repeated values depending on the app structure and Next.js version), the middleware logic can be completely bypassed. This means:

• Authorization and authentication checks in middleware are skipped
• Attackers can access protected routes or APIs as if they were authenticated
• The exploit works by mimicking internal subrequests, tricking Next.js into thinking the request has already passed through the middleware

For example, sending a header like:

x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware

can bypass protections in some Next.js versions (Discovered by zhero_web_security).

This makes the vulnerability extremely dangerous for any app relying on middleware for security.

📦 Affected Versions and Patches

Here are the safe versions you should upgrade to:

• Next.js 15.x -> 15.2.4
• Next.js 14.x -> 14.2.26
• Next.js 13.x -> 13.5.10
• Next.js 12.x -> 12.3.6
• Next.js 11.x -> No patch available (must use WAF rule)

⚡WAF rule to protect your Next.JS APP

Create a Custom Rule in Cloudflare WAF (Free Plan)

If you're on the free plan, here's how to create a custom rule:

1. Navigate to Security > WAF > Custom rules
2. Create a new rule named "next-js-CVE-2025-29927"
3. Add this expression:

(len(http.request.headers["x-middleware-subrequest"]) > 0)

This rule blocks requests that contain the x-middleware-subrequest header, which is the key vector for this vulnerability. Here's why:

• The x-middleware-subrequest header is used internally by Next.js middleware
• When present, it indicates a subrequest from middleware to the application
• The vulnerability allows attackers to forge this header to bypass authentication
• By blocking requests with this header, we prevent the exploit path

The len() function checks if the header exists and has any value. Even an empty value would be blocked, which is what we want since legitimate users should never send this header directly.

4. Set action to "Block"
5. Deploy!

Stay safe out there, and happy coding! 🚀