Next.js Middleware Bypass: When 'I'm With The Band' Actually Works
Jan 12, 2026·5 min read·9 visits
Executive Summary (TL;DR)
By sending the `x-middleware-subrequest` header, attackers can trick the Next.js router into believing a request has already passed security checks. This bypasses authentication and access controls defined in `middleware.ts`. Patched versions introduce a server-side secret to validate this header.
A critical authorization bypass in the Next.js framework allows attackers to skip middleware execution entirely by injecting a specific internal HTTP header. This effectively removes the 'bouncer' from the door of your application, granting unauthorized access to protected routes.
Official Patches
Fix Analysis (2)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Next.js Vercel | 11.1.4 - 12.3.4 | 12.3.5 |
Next.js Vercel | 13.0.0 - 13.5.8 | 13.5.9 |
Next.js Vercel | 14.0.0 - 14.2.24 | 14.2.25 |
Next.js Vercel | 15.0.0 - 15.2.2 | 15.2.3 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-285 (Improper Authorization) |
| CVSS v3.1 | 9.1 (Critical) |
| Attack Vector | Network (AV:N) |
| EPSS Score | 92.90% |
| Exploit Status | Active / High Availability |
| KEV Status | Not Listed (Monitoring Recommended) |
MITRE ATT&CK Mapping
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.