WorkOS, Next.js, and CVE-2025-29927
Over the weekend, security researchers responsibly disclosed CVE-2025-29927, a vulnerability in Next.js that allows an attacker to bypass Next.js middleware entirely.
Over the weekend, security researchers responsibly disclosed CVE-2025-29927, a vulnerability in Next.js that allows an attacker to bypass Next.js middleware entirely. Quick facts
- If you use Next.js middleware for authorization or other security controls, upgrade immediately.
- Next.js users on Vercel are protected but should still upgrade.
- Users on other platforms should check with their providers for mitigation options.
- AuthKit NextJS itself does not need to be updated.
The attack
The vulnerability works through middleware header manipulation. Every time Next.js middleware handles a request, it adds a x-middleware-subrequest
header to that request as a way to track and prevent infinite loops.
It stops middleware from calling itself more than 4 times. When the header appears with the same value more than 4 times, the middleware gets bypassed.
This lets the route run without any middleware checks.
An attacker can exploit this with a simple curl command:
curl "http://localhost:3000/api/test" \
-H 'x-middleware-subrequest: src/middleware:\
src/middleware:\
src/middleware:\
src/middleware:\
src/middleware'
How are AuthKit NextJS users affected?
if you rely on middleware for authorization you must upgrade Next.js to either v15.2.3
, 14.2.25
, or 13.5.9
. If you don't rely on middleware for authorization you should still upgrade as soon as possible to protect against this vulnerability.In AuthKit Next.js, there are two main authentication approaches:
- Page-based auth - This is the default approach where you use the
withAuth
method in individual pages/routes to check if a user is authenticated. Authentication is checked at the route level. - Middleware auth - This is the approach when
middlewareAuth: { enabled: true }
is passed to theauthkitMiddleware
function. Authentication is checked in the middleware, and unauthorized users are redirected before reaching any protected routes.
This attack only affects developers using the middleware auth approach:
// in middleware.ts
export default authkitMiddleware({
middlewareAuth: {
enabled: true,
unauthenticatedPaths: ['/', '/about'],
},
});
In this setup, middleware controls user authorization to view routes. When unauthorized, users get redirected to sign in.
The attack bypasses this check, letting routes run as if the user was authorized.
If your routes perform additional authorization checks using the withAuth
helper, these still work as expected.
Stay secure
This vulnerability affects a core function of Next.js.
By understanding the attack vector, you can protect your apps properly. Upgrade to patched versions immediately. Don’t postpone this - especially if you rely on middleware for authentication or authorization controls.For authkit-nextjs users, remember:
- Your AuthKit code is safe.
- The issue is in Next.js itself.
- Layered security is still best practice.
Consider implementing route-level checks with withAuth
as a defense-in-depth measure, even after upgrading.
If you need help or have questions about this vulnerability, reach out!