Next.js dropped a CVSS 9.1 authentication bypass vulnerability (CVE-2025-29927) over the weekend. This flaw is trivially exploitable by sending the header `x-middleware-subrequest: true` and causes the request to skip all middleware processing, including any authentication steps.
Shodan reports over 300,000 services with the `X-Powered-By: Next.js` header alone.
You can find links to the advisory and queries for runZero at: https://www.runzero.com/blog/next-js/
HD Moore /
npub183…fz7sj
2025-03-23 02:42:56
Author Public Key
npub183jlg550rkcz46gv688rcj2d4ap9cxxut5lg2naehae62hlrlnfs2fz7sjPublished at
2025-03-23 02:42:56Event JSON
{
"id": "e565d61e1fa10f5b05d0e14bb132445f415d28546e99923c977acb144896d5c9",
"pubkey": "3c65f4528f1db02ae90cd1ce3c494daf425c18dc5d3e854fb9bf73a55fe3fcd3",
"created_at": 1742697776,
"kind": 1,
"tags": [
[
"proxy",
"https://infosec.exchange/users/hdm/statuses/114209441459410050",
"activitypub"
]
],
"content": "Next.js dropped a CVSS 9.1 authentication bypass vulnerability (CVE-2025-29927) over the weekend. This flaw is trivially exploitable by sending the header `x-middleware-subrequest: true` and causes the request to skip all middleware processing, including any authentication steps. \n\nShodan reports over 300,000 services with the `X-Powered-By: Next.js` header alone.\n\nYou can find links to the advisory and queries for runZero at: https://www.runzero.com/blog/next-js/",
"sig": "93834385b268ec6691c718bb47d306ffa13faaf1ace580df4b799570a9a9c3d88ce17b9c5bb4fd5302f5297ecc3a229c5d684b0d4474139d17494adb6c4d0d1b"
}