Next.js is the most popular React framework. It is also the framework where one HTTP header walked past every login check, across every version from 11.x to 15.x (CVE-2025-29927). Whether you built with Cursor, v0, or by hand, your Next.js app needs more than one gate.
Next.js is a strong framework. But its middleware pattern — the recommended way to handle auth — became a single point of failure when CVE-2025-29927 dropped. AI coding tools make this worse by generating middleware as the only auth layer without adding redundant checks in route handlers.
A single HTTP header — `x-middleware-subrequest` — bypassed all middleware in Next.js versions 11.x through 15.x. Login checks, rate limiting, browser-side guardrails (CSP) — all skipped. CVSS 9.1. Mass scanning started within 24 hours of disclosure.
The header was an internal signal for managing recursive middleware calls. Next.js never checked whether it came from the framework or from an attacker. One `curl` command walked past every middleware check in the app.
Next.js Server Actions run on the server but are callable from the browser. AI tools build server actions that take user input and touch the database without checking who is calling or whether they actually own the record.
A server action that updates a profile might accept a `userId` parameter without verifying the caller owns it. That is the same "read another user by changing an ID" pattern (IDOR) that hit 41% of multi-user apps in our study.
AI-generated API routes in `app/api/` often lean entirely on middleware for the login check. If middleware is bypassed or misconfigured, every route is wide open. Every route handler should verify the session itself.
The defense-in-depth pattern: middleware is the first gate, and each route handler calls `getServerSession()` or similar as a second gate. Most AI-generated Next.js apps skip the second gate.
Next.js server components can fetch external URLs during rendering. When user input controls that URL — common in link previews, image proxies, or webhook handlers — the server can be tricked into calling internal services you never meant to expose.
This pattern (called SSRF, Server-Side Request Forgery) lets attackers reach internal APIs, cloud metadata endpoints (like AWS `169.254.169.254`), or other things behind the firewall. AI-generated code rarely checks where a server-side fetch is actually going.
Next.js uses an internal HTTP header called x-middleware-subrequest to manage recursive middleware calls. When middleware makes a subrequest, Next.js attaches this header to prevent infinite loops. Once the recursion counter hits a threshold, the framework skips middleware entirely.
The problem: Next.js never validated where the header came from. An external request with the right header value triggered the same skip logic. One curl command bypassed everything:
curl -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware" \
https://target.com/admin/dashboardThe /admin/dashboard route loads as if middleware does not exist. No auth check. No role validation. No redirect to login. Mass scanning for this vulnerability started within 24 hours of the public disclosure on March 21, 2025.
The fix is twofold: update Next.js to a patched version (15.2.3, 14.2.25, 13.5.9, or 12.3.5), and add server-side auth checks in every route handler and server component. Middleware should be a first line of defense, not the only one.
The pattern that protects against CVE-2025-29927 and future middleware bypasses is defense in depth — multiple independent security layers, any one of which can stop an unauthorized request.
Flowpatrol scans your live Next.js app for framework-specific vulnerabilities, not just generic web issues.
Sends requests with the x-middleware-subrequest header and compares responses. Detects whether your middleware is still bypassable or has been patched.
Checks that protected routes enforce authentication in route handlers and server components, not just middleware. Tests for defense in depth.
Tests every discoverable endpoint for auth bypass, IDOR, injection, and SSRF. Verifies that server actions validate input and ownership.
Full technical breakdown — how it works, who was affected, and what to do about it.
How the same BaaS default shipped to production in Moltbook, Tea, Cal AI, and Quittr.
How AI generates API routes that work on the happy path but miss the ownership check.
If your Next.js app uses Supabase, RLS is the other half of the auth story.
Middleware, API routes, server actions, headers — one scan covers the full stack. Know where you stand before you ship.