Next Js Shame
When “Magic” Middleware Goes Kaboom
Ah, Next.js—the darling of hype-driven React devs everywhere. You know, that framework promising you zero-config routing, “blazing-fast” performance, and—ahem—“enterprise‑grade security.” Except when it doesn’t. In March 2025, security researchers Allam Rachid and Allam Yasser dropped CVE‑2025‑29927, a critical (9.1) auth‑bypass in Next.js’ middleware system that lets attackers skip your precious auth checks like they’re on a cheat code. Meanwhile, Vercel scrambled, Cloudflare gleefully promoted its Workers platform as “unaffected,” and the Twittersphere erupted in tech‑bro drama. Buckle up—this is going to be fun. GITHUB
The Nitty‑Gritty: Bypassing Auth with x-middleware-subrequest
Next.js middleware runs in a separate process and uses an internal HTTP header, x-middleware-subrequest, to track whether a request has already passed through your middleware—ostensibly to prevent infinite loops. Trouble is, that header was exposed to the outside world. By crafting a request with a malicious x-middleware-subrequest value, an attacker can trick Next.js into thinking the middleware already ran, so it just calls NextResponse.next() and lets the bad guy stroll right past your /dashboard/admin route.
GET /dashboard/admin HTTP/1.1
Host: victim.app
X-Middleware-Subrequest: src/middleware:nowaf:…:pages/_middleware Result? Zero auth, zero shame. PICUSSECURITY PENTEST-TOOLS
Vercel’s Post‑Mortem: “We Knew, But…Oops?”
Vercel’s official postmortem admits they were tipped off on 14 Mar 2025, confirmed the flaw, and shipped patches for Next.js 14.2.25 and 15.2.3 by 17 Mar—all while proudly noting that deployments on Vercel were never vulnerable thanks to their decoupled routing system. Sounds reassuring—unless you self‑host, in which case you got a week of pwnage. VERCEL
Cloudflare’s Opportunistic Flex: “Workers? We’ve Got You Covered”
Enter Cloudflare, swaggering onto the scene: “Hey, our Workers platform was never affected, either!” Suddenly, every Next.js dev with self‑hosted infra got a dozen Slack pings about migrating to Cloudflare. Talk about striking while the iron’s hot—and selling more cloud services on the side. VERCEL
The Drama Unfolds: Vercel vs. Cloudflare (and React Haters Everywhere)
On Twitter and Hacker News, Vercel and Cloudflare fans clashed. Vercel insisted they “communicated enough,” while Cloudflare cheekily retweeted gloating posts from Next.js skeptics. Meanwhile, your friendly neighborhood Express.js and Go fans (that’s me) were in popcorn mode, chuckling at the “enterprise‑grade” framework face‑plant.
“I told you so! All these abstractions just add attack surface.” – Every Raw‑Dogging Express.js Dev Ever
Source: Hacker News threads and random X posts. MEDIUM
Workarounds for the Truly Masochistic
If you can’t upgrade, you can at least strip the x-middleware-subrequest header at your edge or reverse proxy. Nginx:
proxy_set_header x-middleware-subrequest "";
Express.js:app.use((req, res, next) => {
delete req.headers['x-middleware-subrequest'];
next();
});Apache, AWS ELB, you name it—just yank that header before Next.js sees it. PICUSSECURITY
Why This Matters: Don’t Let Abstractions Bite You
Next.js sells convenience—but convenience often comes with hidden magic. Middleware abstractions are great until they hand you a backdoor. As an aspiring engineer who prefers raw Express.js or a Go HTTP server, I say: write your own auth checks in plain sight. No black‑box headers, no mysterious processes, just you, your code, and your users’ data.
Conclusion: Patch, Laugh, Move On
Upgrade to Next.js 15.2.3+, 14.2.25+, or 13.5.9+ immediately.
Self‑hosted? Strip x-middleware-subrequest at the edge.
Tired of abstractions? Try Express.js or Go—raw code never lets you down.
Next.js had its moment in the sun. Now it’s time to patch up, mock a bit, and build your next project on something that doesn’t sneak a vulnerability into your headers. Raw code FTW.
More Articles
Key Words:
next js security middlewarecode bug