What Happened

Two security researchers have recently discovered an authorization-bypass bug in the popular NextJS framework by Vercel. Tracked as CVE-2025-29927 with a score of 9.1, patches have been deployed and users are urged to upgrade, as this vulnerability allows attackers to bypass middleware logic.

While the vulnerability was reported to Vercel a month ago, it took over two weeks to patch. It is also interesting to note that the vulnerability has existed in the codebase for two years, going undetected, and that behavioral analysis could have potentially identified it prior to actualizing as a CVE.

Vercel and other hosted NextJS providers have already patched the bug, but it is unknown how many self-hosted instances of NextJS are affected. Yet again, the prevalence of cloud vulnerabilities is impossible to ignore, reminding us that what we see is merely the tip of the iceberg.

What is Middleware?

Middleware is a way for developers to reduce code duplication in web frameworks, where instead of putting the same logic in every web request handler (such as authentication or logging), this logic is packaged as a function that validates the prerequisites.

These middleware functions are chained in sequence, where every one must validate the request before proceeding to the next middleware function, or the final application logic. 

How does the Bypass Work?

NextJS uses a special HTTP header that may be used to skip running the listed middlewares, e.g., “x-middleware-subrequest: middleware” . The original purpose of this header was to avoid infinite loops, where a middleware that has already checked the request runs again, most likely due to an error. However, as the researchers show, they can put a maliciously crafted value in this header, and cause the middleware to skip running. 

This means that adversaries can simply cause a request to skip authorization, logging, or many other of the functionalities provided by middleware – and proceed authenticated – allowing them to access protected resources, leak data of other users, etc.

How Sweet’s Runtime CNAPP Can Help

41% of Sweet’s customers were found with the vulnerability.

30% of these customers actually had the vulnerability LOADED into memory.

25% had the vulnerability with inbound connections.

Sweet runtime-based vulnerability management can detect affected NextJS workloads running in your environment. Unlike traditional vulnerability management solutions, using runtime signals reduces the false-positive rate to virtually zero.

Sweet’s deep ADR capabilities allow real-time inspection of HTTP/S requests at the application level and can detect the presence of the x-middleware-subrequest header as Indication of Compromise (IoC).
Sweet can either alert or block such requests in real time.

By integrating runtime security and deep packet inspection, Sweet ensures that even novel attack methods leveraging HTTP header manipulation are swiftly detected and mitigated.

Experience how Sweet Security can protect your NextJS workloads in real time. Our runtime-based detection and response capabilities provide deep visibility into application traffic, ensuring threats like CVE-2025-29927 are caught before they cause damage.

Schedule a demo today and see how Sweet keeps your cloud applications secure—without compromising performance.