Next.js is the most popular React framework. It is also the framework where CVE-2025-29927 proved that middleware-only auth is not enough — one HTTP header bypassed every authentication check, across every version from 11.x to 15.x. Whether you built with Cursor, v0, or by hand, your Next.js app needs defense in depth.
Next.js is a strong framework. But its middleware pattern — the recommended way to handle auth — became a single point of failure when CVE-2025-29927 dropped. AI coding tools make this worse by generating middleware as the only auth layer without adding redundant checks in route handlers.
A single HTTP header — x-middleware-subrequest — could bypass all middleware in Next.js versions 11.x through 15.x. Authentication, authorization, CSP, rate limiting — all skipped. CVSS 9.1. Mass scanning started within 24 hours of disclosure.
The header was an internal signal for managing recursive middleware calls. Next.js never validated whether it came from the framework or from an attacker. One curl command bypassed every middleware check in the application.
Next.js Server Actions execute on the server but are callable from the client. AI tools generate server actions that accept user input and perform database operations without validating authentication or ownership.
A server action that updates a user profile might accept a userId parameter without checking that the caller owns that user record. This is IDOR at the server action level — the same pattern that affects 41% of multi-user apps in our study.
AI-generated API routes in the app/api/ directory often rely entirely on middleware for authentication. If middleware is bypassed or misconfigured, every API route is exposed. Each route handler should independently verify the session.
The defense-in-depth pattern: middleware provides a first-pass check, and each route handler calls getServerSession() or equivalent. Most AI-generated Next.js apps skip the second check.
Next.js server components can fetch external URLs during rendering. When user input controls the fetch URL — common in link preview features, image proxies, or webhook handlers — the server can be tricked into making requests to internal services.
Server-Side Request Forgery allows attackers to reach internal APIs, cloud metadata endpoints (like AWS 169.254.169.254), or other services behind the firewall. AI-generated code rarely validates or restricts the destination of server-side fetches.
Next.js uses an internal HTTP header called x-middleware-subrequest to manage recursive middleware calls. When middleware makes a subrequest, Next.js attaches this header to prevent infinite loops. Once the recursion counter hits a threshold, the framework skips middleware entirely.
The problem: Next.js never validated where the header came from. An external request with the right header value triggered the same skip logic. One curl command bypassed everything:
curl -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" \
https://target.com/admin/dashboardThe /admin/dashboard route loads as if middleware does not exist. No auth check. No role validation. No redirect to login. Mass scanning for this vulnerability started within 24 hours of the public disclosure on March 21, 2025.
The fix is twofold: update Next.js to a patched version (15.2.3, 14.2.25, 13.5.9, or 12.3.5), and add server-side auth checks in every route handler and server component. Middleware should be a first line of defense, not the only one.
The pattern that protects against CVE-2025-29927 and future middleware bypasses is defense in depth — multiple independent security layers, any one of which can stop an unauthorized request.
Flowpatrol scans your live Next.js app for framework-specific vulnerabilities, not just generic web issues.
Sends requests with the x-middleware-subrequest header and compares responses. Detects whether your middleware is still bypassable or has been patched.
Checks that protected routes enforce authentication in route handlers and server components, not just middleware. Tests for defense in depth.
Tests every discoverable endpoint for auth bypass, IDOR, injection, and SSRF. Verifies that server actions validate input and ownership.
Full technical breakdown — how it works, who was affected, and what to do about it.
The most common security issues we find in vibe-coded apps, with real examples and fixes.
How AI generates API routes that work on the happy path but miss the ownership check.
If your Next.js app uses Supabase, RLS is the other half of the auth story.
Middleware, API routes, server actions, headers — one scan covers the full stack. Know where you stand before you ship.