Open in app

Sign in

Write

Sign in

What Happens on Next.js? How a Vulnerability in Next.js Framework Can Lead to Bypassing Middleware Authorization Checks!

CUBeeSEC Securities
5 min readMar 29, 2025

--

Next.js Framework

What is Next.Js?

Next.js is a powerful React framework used to build both server-side rendered (SSR) and static web applications. It simplifies development with file-based routing, API routes, and automatic code splitting, making apps faster and more efficient. With built-in support for SSR, static site generation (SSG), and incremental static regeneration, it boosts performance and SEO. The framework also includes middleware for adding custom logic during request processing. Its API routes make backend tasks easier by enabling serverless functions. Overall, Next.js is a go-to choice for creating scalable, fast, and SEO-friendly web apps.

Why Are Companies Adopting Next.js for Web Development?

Companies choose Next.js because it delivers high performance, scalability, and flexibility. Its server-side rendering (SSR) ensures faster load times and better SEO, making websites more discoverable. With static site generation (SSG), pages load instantly, improving user experience. API routes simplify backend development by eliminating the need for a separate server. The middleware feature allows custom security, authentication, and logging. Additionally, automatic code splitting optimizes loading speed by reducing unnecessary JavaScript. Overall, Next.js provides a modern, efficient framework for building fast, scalable, and SEO-friendly applications.

It can be any Network or Application or Any Hackers are there!!!

Hackers are Everywhere

What Happens to Next.js Version 14.2.25 and 15.2.3

Next.js versions 14.2.25 and 15.2.3 contain a critical vulnerability that allows attackers to bypass middleware authorization checks. This flaw occurs due to improper handling of trailing slashes and URL encoding, enabling unauthorized access to protected routes. Attackers can manipulate the URL format to skip middleware validation, potentially exposing sensitive data or restricted resources.

The vulnerability tracked as CVE-2025–29927, carries a CVSS score of 9.1 out of 10.0.

What Is Middleware in Next.js?

Middleware in Next.js is a function that sits between the request and the response, allowing you to run custom logic before completing the request cycle. It enables you to modify or validate requests, making it useful for authentication, logging, redirects, rate-limiting, and security checks.

How Middleware Works in Next.js

  • Middleware functions are executed before the request reaches the actual route or API handler.
  • It uses Edge Functions, meaning the code runs closer to the user (at the CDN level), improving performance.
  • Middleware can handle incoming requests, modify responses, or even rewrite URLs.
// middleware.ts
import { NextResponse } from 'next/server';
export function middleware(req) {
 const { pathname } = req.nextUrl;
// Redirect if user is not authenticated
 const isAuthenticated = req.cookies.get('auth-token');
if (!isAuthenticated && pathname.startsWith('/dashboard')) {
 return NextResponse.redirect('/login');
 }
return NextResponse.next();
}
export const config = {
 matcher: ['/dashboard/:path*'], // Apply middleware only to dashboard routes
};

Below is the Middleware Vulnerable Code

// middleware.ts (Vulnerable)
import { NextResponse } from 'next/server';
export function middleware(req) {
 const { pathname } = req.nextUrl;
// Extract authentication token from cookies
 const isAuthenticated = req.cookies.get('auth-token');
// 🛑 Vulnerability: Weak Authorization Check
 // Attackers can bypass this by appending a trailing slash or using encoded paths
 if (!isAuthenticated && pathname.startsWith('/dashboard')) {
 return NextResponse.redirect('/login');
 }
return NextResponse.next();
}
export const config = {
 matcher: ['/dashboard/:path*'], // Apply middleware only to dashboard routes
};

How Middleware Works in the Vulnerable Scenario

In your Next.js app, the middleware is applied to requests hitting the /dashboard route due to this configuration

export const config = {
matcher: [‘/dashboard/:path*’], // Middleware applies to /dashboard and subroutes
};

  • This means all requests to /dashboard and its subpaths (/dashboard/settings, /dashboard/profile) should trigger the middleware.
  • The middleware checks for the auth-token cookie and redirects unauthorized users to /login.

How the Attacker Exploits the Middleware

When you intercept the request in Burp Suite, you’re not bypassing the /dashboard route directly — you're exploiting the middleware itself by confusing its URL-matching behavior.

Exploiting the Middleware with Burp

In Burp Suite, you send a request to the middleware-protected route:

GET /dashboard HTTP/1.1  
Host: example.com  
Cookie: auth-token=invalid_token  
User-Agent: Mozilla/5.0

Since you have an invalid token, the middleware kicks in and redirects you to /login

The Exploit (Where Middleware Fails)

Now, you manipulate the URL in Burp Suite by adding a trailing slash or encoding:

GET /dashboard/ HTTP/1.1     ← Trailing Slash Exploit  
GET /dashboard%2F HTTP/1.1   ← Encoded Slash Exploit
  • The middleware fails to normalize the URL, treating /dashboard/ as a separate path from /dashboard.
  • This causes the middleware to skip execution, granting unauthorized access.

How Middleware Fails Internally

In the vulnerable middleware:

if (!isAuthenticated && pathname.startsWith('/dashboard')) {
    return NextResponse.redirect('/login');
}
  • This line only checks for /dashboard, not /dashboard/ or encoded versions.
  • The middleware logic doesn’t normalize the URL, allowing bypass with trailing slashes and encoding.

Here’s how the Burp flow with middleware interaction looks:

Original Request

GET /dashboard HTTP/1.1  
Host: example.com  
Cookie: auth-token=invalid_token

Middleware Execution: Redirects to /login due to missing authentication

Bypass Request:

GET /dashboard/ HTTP/1.1   ← Trailing Slash  
Host: example.com  
Cookie: auth-token=invalid_token

Middleware Skipped:

  • The server treats /dashboard/ as a different path.
  • The middleware doesn’t run, and the attacker gains unauthorized access

How to Fix and Prevent This Vulnerability

  • Normalize URLs Before Authorization Checks:
    → Use decodeURIComponent() and remove trailing slashes to standardize the URL before middleware validation.
    → This ensures /dashboard, /dashboard/, and /dashboard%2F are treated the same.
  • Strict Matching in Middleware:
    → Use case-insensitive and strict path matching.
    → Convert paths to lowercase and validate against a normalized list to prevent bypass.
  • Upgrade to the Latest Next.js Version:
    → Update to patched versions of Next.js, as the vulnerability is fixed in newer releases.
    → Use npm update next or yarn upgrade next.
  • Add Server-Side Authorization as Backup:
    → Implement server-side authorization checks on protected routes, even if middleware is bypassed.
    → This adds an extra layer of security.

References:

NVD CVE — 2025-29927

The Hackers News

Rapid 7 Blog

That’s it for now.

Cheers and peace out!

Want to Know About Us more: Read Here

Below is our Security Quote:

We Break It !! → We Fix It !! → We Secure It!!

We Play Our Own Game and Challenges Over Our Security Ground!

Sign up to discover human stories that deepen your understanding of the world.

Nextjs
Vulnerability Assessment
Bug Bounty
Cve 2025 29927
Penetration Testing

--

--

CUBeeSEC Securities
CUBeeSEC Securities

Written by CUBeeSEC Securities

4 Followers
2 Following

CUBeeSEC provides top-tier penetration testing & security solutions, safeguarding businesses from cyber threats with expert-driven strategies. #cybersecurity

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech