The Next.js web framework, known for being fast and easy to use, has recently caught the attention of security researchers. According to a report shared on Hacker News and detailed in research by Zhero Security and Yasser Allam (aka inzo_), a serious flaw was found in how middleware works in older versions of Next.js — especially around version 12.0.7.
This flaw allowed certain web requests to skip important safety checks, like login and permissions. That means attackers could have reached pages they weren’t supposed to see — like admin panels — just by tweaking a request header. This post breaks down what happened, shares some similar risks with Next.js, and passes along tips developers can use to protect their apps.
What Was the Middleware Bug?
The core issue was with how the framework handled a special request header called x-middleware-subrequest. This header was supposed to help Next.js decide which middleware to run on a request.
But here’s the problem: attackers figured out they could craft requests with this header in just the right way — using a value based on the internal middleware name — and the framework would skip the security checks entirely. In other words, it would trust the request too easily.
This wasn’t just a coding mistake. It showed a bigger design problem in how middleware trusted information from incoming requests.
➡️ For the full technical breakdown, see the original Zhero Security write-up:
https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware
Other Security Concerns with Next.js
This isn’t the only security issue developers need to think about with Next.js. Here are a few more risks researchers have pointed out:
1. Guessable Routes and Middleware Skipping
Older versions of Next.js used predictable naming for middleware files — like _middleware.ts — and relied on folder structure to decide which files to run. This made it easier for attackers to guess which middleware was in use and find ways to sneak past it.
One bug (CVE-2025-29927) showed that attackers could use this to mess with how caching worked, tricking the system into showing unauthorized content or even admin pages to the wrong people.
2. Server-Side Rendering (SSR) Leaks
Next.js uses something called server-side rendering to make pages faster and better for search engines. But if data isn’t handled carefully, this can also leak private info.
For example, if two users visit the site at the same time, the app might accidentally show one user’s info to the other — especially if caching isn’t set up right or cleanup steps are missing.
🔍 Developers should make sure no private data gets stored in shared caches and that all request data is carefully handled between page loads.
3. XSS and CSP Bypasses
Skipping middleware doesn’t just mean login systems can break — it can also mess with CSP rules (Content Security Policy). CSP helps protect websites from attacks like cross-site scripting (XSS), where bad code can be injected into the page.
If middleware is skipped, so are these defenses. That leaves pages open to attack in unexpected ways.
👀 HackerOne has some great public reports on similar issues:
https://hackerone.com/reports
What Can Developers Do?
Here are five practical steps developers should take if they use Next.js:
-
Update regularly – Always install the latest version of Next.js. Patches for security issues come fast.
-
Don’t trust headers blindly – Especially if they come from the user. Use stronger checks inside your app.
-
Watch your cache – Make sure private data never gets stored where others might see it later.
-
Double-check SSR routes – Use clear rules for what gets rendered and cached.
-
Follow community blogs – Sites like Project Discovery and Strobes Security Blog often cover risks before they hit the headlines.
Final Thoughts
Next.js is a great tool, but like any tech, it’s not perfect. Security researchers have helped shine a light on design choices that could be dangerous if left unchecked. Thankfully, many of these issues have fixes — and the best way to stay safe is to stay informed.
If you’re building apps with Next.js, it’s worth taking a little time to audit how your middleware, routes, and rendering logic are set up. A few tweaks could help avoid serious trouble down the road.
Sources
-
Zhero Security Research: Next.js and the Corrupt Middleware
-
Vercel Security Advisory: https://vercel.com/blog/next-js-security-advisory
-
HackerOne Reports: https://hackerone.com/reports
👋 Clap, Wave, and Follow!
✍️ Written by GreyFriar
📰 Summarizing the latest in cybersecurity & GenAI risk — in plain English
🙌 Found this helpful? Tap that 👏 Clap button to support approachable CTI reporting!
💬 Leave a comment to say hey, or drop a topic you’d like to see covered next.
🔔 Follow for weekly breakdowns of real-world threats, simplified for devs and defenders.
