Patterns / Middleware Auth Bypass
Auth ⚑ Critical severity

Middleware Auth Bypass

Async auth middleware returns before completing — request proceeds unauthenticated.

📖 What is this?

Authentication middleware that doesn’t call `next()` or doesn’t return early leaves the request unauthenticated. In Express, if the auth check is async and the route handler fires before the middleware resolves, the request proceeds as if unauthenticated. Next.js middleware’s early-return behavior (CVE-2025-29927) caused `req.auth` to be `undefined` on certain requests, bypassing auth on affected routes.

🔴 Vulnerable Code
❌ Vulnerable
// VULNERABLE — missing return/next()
app.use(async (req, res, next) => {
  const token = req.headers.authorization;
  if (!token) {
    // forgot to return/next() — request continues without auth
    return res.status(401).send('Unauthorized');
  }
  req.user = await verifyToken(token);
  // forgot next() — route handler never fires
  next();
});
🟢 Fixed Code
✓ Fixed
// FIXED — explicit return on all paths
app.use(async (req, res, next) => {
  const token = req.headers.authorization;
  if (!token) {
    return res.status(401).send('Unauthorized');
  }
  try {
    req.user = await verifyToken(token);
    next();
  } catch (e) {
    return res.status(401).send('Unauthorized');
  }
});
Real-World Incident
🔗
CVE / Real Incident
CVE-2025-29927 (Next.js middleware auth bypass)
CVE-2025-29927 (Next.js middleware auth bypass — bytemeta/next.js affected versions <= 15.1.5). The `req.auth` was `undefined` for requests where middleware returned early, causing auth checks to pass when they shouldn’t. Next.js tracked as CVE-2025-66478.
🔍 How PullLight Catches It
PullLight flags async middleware that doesn’t call `next()` or `res.send()`/`res.json()` on all code paths. It detects when `req.user` or `req.auth` is assigned without an early return guard, and flags middleware that returns a Promise but doesn’t explicitly `await` before setting auth context.
See it in action — paste a diff into /analyze
Try a vulnerable example: pool.query(`SELECT * FROM users WHERE id = ${req.params.id}`)
Analyze a diff →
🔗 Related Patterns
JWT None Algorithm Bypass
Auth · Critical
CORS Misconfiguration — Wildcard with Credentials
Auth · High
Case Study →
Real-world exploit
📚 More Patterns
Missing await — Race Condition
Concurrency · High
Null Dereference After Optional Chain
Data · Medium
Prototype Pollution
Security · High
◈ PullLight — AI PR review, human approval, zero false positives All Patterns · Pricing · Analyze