In this article
March 25, 2025
March 25, 2025

WorkOS, Next.js, and CVE-2025-29927

Over the weekend, security researchers responsibly disclosed CVE-2025-29927, a vulnerability in Next.js that allows an attacker to bypass Next.js middleware entirely.

Over the weekend, security researchers responsibly disclosed CVE-2025-29927, a vulnerability in Next.js that allows an attacker to bypass Next.js middleware entirely. Quick facts

  • If you use Next.js middleware for authorization or other security controls, upgrade immediately.
  • Next.js users on Vercel are protected but should still upgrade.
  • Users on other platforms should check with their providers for mitigation options.
  • AuthKit NextJS itself does not need to be updated.

The attack

The vulnerability works through middleware header manipulation. Every time Next.js middleware handles a request, it adds a x-middleware-subrequest header to that request as a way to track and prevent infinite loops.

It stops middleware from calling itself more than 4 times. When the header appears with the same value more than 4 times, the middleware gets bypassed.

This lets the route run without any middleware checks.

An attacker can exploit this with a simple curl command:

curl "http://localhost:3000/api/test" \
  -H 'x-middleware-subrequest: src/middleware:\
src/middleware:\
src/middleware:\
src/middleware:\
src/middleware'

How are AuthKit NextJS users affected?

if you rely on middleware for authorization you must upgrade Next.js to either v15.2.3, 14.2.25, or 13.5.9. If you don't rely on middleware for authorization you should still upgrade as soon as possible to protect against this vulnerability.In AuthKit Next.js, there are two main authentication approaches:

  1. Page-based auth - This is the default approach where you use the withAuth method in individual pages/routes to check if a user is authenticated. Authentication is checked at the route level.
  2. Middleware auth - This is the approach when middlewareAuth: { enabled: true } is passed to the authkitMiddleware function. Authentication is checked in the middleware, and unauthorized users are redirected before reaching any protected routes.

This attack only affects developers using the middleware auth approach:

// in middleware.ts
export default authkitMiddleware({
  middlewareAuth: {
    enabled: true,
    unauthenticatedPaths: ['/', '/about'],
  },
});

In this setup, middleware controls user authorization to view routes. When unauthorized, users get redirected to sign in.

The attack bypasses this check, letting routes run as if the user was authorized.

If your routes perform additional authorization checks using the withAuth helper, these still work as expected.

Stay secure

This vulnerability affects a core function of Next.js.

By understanding the attack vector, you can protect your apps properly. Upgrade to patched versions immediately. Don’t postpone this - especially if you rely on middleware for authentication or authorization controls.For authkit-nextjs users, remember:

  • Your AuthKit code is safe.
  • The issue is in Next.js itself.
  • Layered security is still best practice.

Consider implementing route-level checks with withAuth as a defense-in-depth measure, even after upgrading.

If you need help or have questions about this vulnerability, reach out!

This site uses cookies to improve your experience. Please accept the use of cookies on this site. You can review our cookie policy here and our privacy policy here. If you choose to refuse, functionality of this site will be limited.