{"repro_id":"REPRO-2026-00198","version":8,"title":"Next.js middleware authorization bypass via x-middleware-subrequest","repro_type":"security","status":"published","severity":"critical","cvss_score":9.1,"description":"Next.js middleware authorization checks can be bypassed when an external request includes the internal x-middleware-subrequest header, causing middleware to be skipped entirely.","root_cause":"Next.js middleware authorization checks can be bypassed when an external request includes the internal x-middleware-subrequest header, causing middleware to be skipped entirely.","cve_id":"CVE-2025-29927","cwe_id":"CWE-285","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-29927","package":{"name":"next","ecosystem":"npm","affected_versions":">=11.1.4 <12.3.5, >=13.0.0 <13.5.9, >=14.0 <14.2.25, >=15.0 <15.2.3","fixed_version":"12.3.5, 13.5.9, 14.2.25, 15.2.3"},"reproduced_at":"2026-07-02T05:05:05.647750+00:00","duration_secs":2244.0,"tool_calls":180,"handoffs":3,"total_cost_usd":2.6235164999999996,"agent_costs":{"coding":0.23950236,"hypothesis_generator":0.01002045,"judge":0.41841000000000006,"repro":0.33379418,"support":0.01927285,"vuln_variant":1.60251666},"cost_breakdown":{"coding":{"accounts/fireworks/models/kimi-k2p7-code":0.23950236},"hypothesis_generator":{"accounts/fireworks/models/kimi-k2p7-code":0.01002045},"judge":{"gpt-5.5":0.41841000000000006},"repro":{"accounts/fireworks/models/kimi-k2p7-code":0.33379418},"support":{"accounts/fireworks/models/kimi-k2p7-code":0.01927285},"vuln_variant":{"accounts/fireworks/models/kimi-k2p7-code":1.60251666}},"quality":{"confidence":"high","idempotent_verified":false,"community_verifications":0},"published_at":"2026-07-02T05:05:06.619532+00:00","retracted":false,"artifacts":[{"path":"bundle/repro/reproduction_steps.sh","filename":"reproduction_steps.sh","size":7817,"category":"reproduction_script"},{"path":"bundle/repro/rca_report.md","filename":"rca_report.md","size":8042,"category":"analysis"},{"path":"bundle/repro/runtime_manifest.json","filename":"runtime_manifest.json","size":872,"category":"other"},{"path":"bundle/repro/validation_verdict.json","filename":"validation_verdict.json","size":731,"category":"other"},{"path":"bundle/ticket.json","filename":"ticket.json","size":4191,"category":"other"},{"path":"bundle/ticket.md","filename":"ticket.md","size":3698,"category":"ticket"},{"path":"bundle/logs/fixed-2-normal.txt","filename":"fixed-2-normal.txt","size":3,"category":"other"},{"path":"bundle/logs/vuln-1-bypass-body.html","filename":"vuln-1-bypass-body.html","size":12,"category":"other"},{"path":"bundle/logs/fixed-2-bypass-poly.txt","filename":"fixed-2-bypass-poly.txt","size":3,"category":"other"},{"path":"bundle/logs/vuln-2-build.log","filename":"vuln-2-build.log","size":1350,"category":"log"},{"path":"bundle/logs/nextjs-fixed-1.log","filename":"nextjs-fixed-1.log","size":0,"category":"log"},{"path":"bundle/logs/nextjs-fixed-2.log","filename":"nextjs-fixed-2.log","size":0,"category":"log"},{"path":"bundle/logs/fixed-2-summary.txt","filename":"fixed-2-summary.txt","size":56,"category":"other"},{"path":"bundle/logs/fixed-2-bypass-body.html","filename":"fixed-2-bypass-body.html","size":12,"category":"other"},{"path":"bundle/logs/vuln-2-summary.txt","filename":"vuln-2-summary.txt","size":55,"category":"other"},{"path":"bundle/logs/vuln-2-bypass.txt","filename":"vuln-2-bypass.txt","size":3,"category":"other"},{"path":"bundle/logs/fixed-1-bypass.txt","filename":"fixed-1-bypass.txt","size":3,"category":"other"},{"path":"bundle/logs/nextjs-vuln-1.log","filename":"nextjs-vuln-1.log","size":0,"category":"log"},{"path":"bundle/logs/fixed-1-bypass-body.html","filename":"fixed-1-bypass-body.html","size":12,"category":"other"},{"path":"bundle/logs/vuln-2-bypass-body.html","filename":"vuln-2-bypass-body.html","size":12,"category":"other"},{"path":"bundle/logs/vuln-1-bypass.txt","filename":"vuln-1-bypass.txt","size":3,"category":"other"},{"path":"bundle/logs/fixed-1-normal.txt","filename":"fixed-1-normal.txt","size":3,"category":"other"},{"path":"bundle/logs/fixed-2-build.log","filename":"fixed-2-build.log","size":1350,"category":"log"},{"path":"bundle/logs/fixed-1-bypass-poly-body.html","filename":"fixed-1-bypass-poly-body.html","size":12,"category":"other"},{"path":"bundle/logs/nextjs-vuln-2.log","filename":"nextjs-vuln-2.log","size":0,"category":"log"},{"path":"bundle/logs/fixed-1-build.log","filename":"fixed-1-build.log","size":1350,"category":"log"},{"path":"bundle/logs/fixed-1-bypass-poly.txt","filename":"fixed-1-bypass-poly.txt","size":3,"category":"other"},{"path":"bundle/logs/fixed-1-summary.txt","filename":"fixed-1-summary.txt","size":56,"category":"other"},{"path":"bundle/logs/fixed-2-bypass.txt","filename":"fixed-2-bypass.txt","size":3,"category":"other"},{"path":"bundle/logs/vuln-1-build.log","filename":"vuln-1-build.log","size":1350,"category":"log"},{"path":"bundle/logs/vuln-1-bypass-poly-body.html","filename":"vuln-1-bypass-poly-body.html","size":3715,"category":"other"},{"path":"bundle/logs/vuln-1-normal.txt","filename":"vuln-1-normal.txt","size":3,"category":"other"},{"path":"bundle/logs/vuln-2-bypass-poly-body.html","filename":"vuln-2-bypass-poly-body.html","size":3715,"category":"other"},{"path":"bundle/logs/vuln-2-normal.txt","filename":"vuln-2-normal.txt","size":3,"category":"other"},{"path":"bundle/logs/vuln-1-bypass-poly.txt","filename":"vuln-1-bypass-poly.txt","size":3,"category":"other"},{"path":"bundle/logs/fixed-2-bypass-poly-body.html","filename":"fixed-2-bypass-poly-body.html","size":12,"category":"other"},{"path":"bundle/logs/vuln-2-bypass-poly.txt","filename":"vuln-2-bypass-poly.txt","size":3,"category":"other"},{"path":"bundle/logs/vuln-1-summary.txt","filename":"vuln-1-summary.txt","size":55,"category":"other"}]}