CVE-2025-29927 is a critical middleware bypass in Next.js that lets attackers skip authentication logic by adding a single HTTP header: x-middleware-subrequest. Heres how it works, how to test it, and how to fix it.

Published by Jack Tolley on 18/05/2023