← Back to PullLight
Case Study

Authorization bypass in Next.js middleware

CVSS 9.1
Fixed March 17, 2025
Disclosed March 21, 2025
Repository vercel/next.js
Security Advisory

GHSA-f82v-jwr5-mffw — Next.js versions prior to 15.2.3 and 14.2.25 trusted the x-middleware-subrequest request header unconditionally, without verifying its origin.

An attacker could forge this header to skip auth middleware entirely, gaining access to protected routes and API endpoints that should have been gated behind authentication checks.

PullLight Review Comment
🔴 PullLight — Critical Finding
This header is checked without verifying origin. An attacker can forge x-middleware-subrequest to bypass middleware entirely.
→ The fix adds session-scoped validation using crypto.randomBytes — this is the right pattern.
The Fix

The patch replaced blind header trust with cryptographic session validation. The new code generates a random session ID on internal requests using crypto.getRandomValues(), then verifies this value before trusting any subrequest header.

This ensures that only requests originating from Next.js internal routing can set the subrequest header — external attackers cannot forge it.

Commit
Fix commit: 52a078da3884
Security advisory: GHSA-f82v-jwr5-mffw
PullLight catches this class of vulnerability automatically — no prompts, no manual review trigger.
See how PullLight works →