A latest collaborative effort by researchers Rachid Allam and Yasser Allam has uncovered a essential vulnerability inside the Subsequent.js framework, a broadly used JavaScript framework primarily based on React with almost 10 million weekly downloads.
Their analysis, documented in an in depth publication, reveals a flaw within the Subsequent.js middleware that permits for unauthorized entry and management, impacting all variations of the framework. This flaw, designated CVE-2025-29927 and rated as essential, permits unauthorized entry to protected assets.
Reportedly, the vulnerability particularly targets the middleware function, which is a element designed to execute code earlier than a request is accomplished and is ceaselessly used for essential safety capabilities, together with authentication and authorization. Nonetheless, the found vulnerability permits attackers to bypass these safety measures.
The core of the vulnerability lies within the dealing with of the “x-middleware-subrequest” header. By manipulating this header with a selected worth, attackers can successfully ignore the middleware’s supposed guidelines, gaining unauthorized entry. As Allam explained, “The header and its worth act as a common key permitting guidelines to be overridden.”
The vulnerability stems from code supposed to forestall recursive requests, which might result in infinite loops. Mockingly, this very code launched a degree of failure, enabling the authorization bypass.
The worth required for this bypass is derived from the middleware’s path, which, relying on the Subsequent.js model, could be “middleware,” “src/middleware,” or a variation involving the “pages” listing in older variations.
Researchers demonstrated varied exploits, together with authorization/rewrite bypasses, Content material Safety Coverage (CSP) bypasses, and even potential Denial-of-Service (DoS) assaults via cache poisoning.
“If the location has a cache/CDN system, it could be attainable to pressure the caching of a 404 response, rendering its pages unusable,” they famous, highlighting the big selection of potential impacts.
They initially believed that solely variations 12.0.0 and 12.0.7 had been affected however later recognized that each one variations had been susceptible and duly notified the Subsequent.js group.
The group promptly acknowledged the vulnerability, issuing an advisory and offering patches for susceptible variations.
- For Subsequent.js 15.x, this concern is fastened in 15.2.3.
- For Subsequent.js 14.x, this concern is fastened in 14.2.25.
- For Subsequent.js 13.x, this concern is fastened in 13.5.9.
- For Subsequent.js 12.x, this concern is fastened in 12.3.5.
Earlier variations require workarounds, equivalent to blocking exterior requests containing the “x-middleware-subrequest” header.
Notably, functions hosted on Vercel or Netlify have been mechanically protected. The framework’s maintainers have since admitted to lacking “the mark on associate communications” and have dedicated to bettering future safety advisories by establishing a devoted associate mailing record.
The Subsequent.js documentation, which beforehand highlighted middleware’s position in authentication and authorization, has since been updated to emphasise that it shouldn’t be the only real safety measure.
Nonetheless, the invention and disclosure of CVE-2025-29927 present the significance of correct safety checks, particularly in broadly used frameworks like Subsequent.js.
