Behind the Middleware Curtain — Explaining CVE-2025-29927, A Critical Authorization Bypass in Next.js

This report documents CVE-2025-29927, a critical Next.js middleware authorization bypass in which attackers can set the x-middleware-subrequest header to cause the framework to skip middleware checks; it affects many Next.js versions, is trivial to exploit and likely to be automated, and is remediable by upgrading Next.js or blocking the header via WAF or server rules.