Next.js Vulnerability - CVE-2025-29927

Another day, another vulnerability in a web framework. H0wever due to the ubiquitous nature of this and also the impact, we're encouraging clients to perform a manual review to establish whether vulnerable versions of Next.js are in use in their web applications if they don't automate their software asset management and vulnerability reporting.

The write up and disclosure of the vulnerability are available via the researchers blog post here: https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware but the TL;DR is that affected versions of Next.js may expose you (in the worst case scenario) to authentication bypass by simply rewriting the HTTP request header:

x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware

or:

x-middleware-subrequest: src/middleware:src/middleware:src/middleware:src/middleware:src/middleware

A quick check on Shodan reveals over 336,000 hosts on the internet using Next.js, however it's difficult to reliably determine how many of these are using vulnerable versions. The only guarantee is that if you are using one and don't update, someone will find out for you.