# REPRO-2026-00198: Next.js middleware authorization bypass via x-middleware-subrequest ## Summary Status: published Severity: critical Type: security Confidence: high ## Identifiers REPRO ID: REPRO-2026-00198 CVE: CVE-2025-29927 ## Package Name: next Ecosystem: npm Affected: >=11.1.4 <12.3.5, >=13.0.0 <13.5.9, >=14.0 <14.2.25, >=15.0 <15.2.3 Fixed: 12.3.5, 13.5.9, 14.2.25, 15.2.3 ## Root Cause Next.js middleware authorization checks can be bypassed when an external request includes the internal x-middleware-subrequest header, causing middleware to be skipped entirely. ## Reproduction Details Reproduced: 2026-07-02T05:05:05.647Z Duration: 2244 seconds Tool calls: 180 Turns: Unknown Handoffs: 3 ## Quick Verification Run one of these commands to verify locally: pruva-verify REPRO-2026-00198 pruva-verify CVE-2025-29927 Or open in GitHub Codespaces (zero-friction, auto-runs): https://github.com/codespaces/new?ref=repro/REPRO-2026-00198&repo=N3mes1s/pruva-sandbox Or download and run the script manually: curl -O https://api.pruva.dev/v1/reproductions/REPRO-2026-00198/artifacts/bundle/repro/reproduction_steps.sh chmod +x reproduction_steps.sh ./reproduction_steps.sh WARNING: Run in a sandboxed environment. This exploits a real vulnerability. ## References - NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29927 - Source: https://nvd.nist.gov/vuln/detail/CVE-2025-29927 ## Artifacts - bundle/repro/reproduction_steps.sh (reproduction_script, 7817 bytes) - bundle/repro/rca_report.md (analysis, 8042 bytes) - bundle/repro/runtime_manifest.json (other, 872 bytes) - bundle/repro/validation_verdict.json (other, 731 bytes) - bundle/ticket.json (other, 4191 bytes) - bundle/ticket.md (ticket, 3698 bytes) - bundle/logs/fixed-2-normal.txt (other, 3 bytes) - bundle/logs/vuln-1-bypass-body.html (other, 12 bytes) - bundle/logs/fixed-2-bypass-poly.txt (other, 3 bytes) - bundle/logs/vuln-2-build.log (log, 1350 bytes) - bundle/logs/nextjs-fixed-1.log (log, 0 bytes) - bundle/logs/nextjs-fixed-2.log (log, 0 bytes) - bundle/logs/fixed-2-summary.txt (other, 56 bytes) - bundle/logs/fixed-2-bypass-body.html (other, 12 bytes) - bundle/logs/vuln-2-summary.txt (other, 55 bytes) - bundle/logs/vuln-2-bypass.txt (other, 3 bytes) - bundle/logs/fixed-1-bypass.txt (other, 3 bytes) - bundle/logs/nextjs-vuln-1.log (log, 0 bytes) - bundle/logs/fixed-1-bypass-body.html (other, 12 bytes) - bundle/logs/vuln-2-bypass-body.html (other, 12 bytes) - bundle/logs/vuln-1-bypass.txt (other, 3 bytes) - bundle/logs/fixed-1-normal.txt (other, 3 bytes) - bundle/logs/fixed-2-build.log (log, 1350 bytes) - bundle/logs/fixed-1-bypass-poly-body.html (other, 12 bytes) - bundle/logs/nextjs-vuln-2.log (log, 0 bytes) - bundle/logs/fixed-1-build.log (log, 1350 bytes) - bundle/logs/fixed-1-bypass-poly.txt (other, 3 bytes) - bundle/logs/fixed-1-summary.txt (other, 56 bytes) - bundle/logs/fixed-2-bypass.txt (other, 3 bytes) - bundle/logs/vuln-1-build.log (log, 1350 bytes) - bundle/logs/vuln-1-bypass-poly-body.html (other, 3715 bytes) - bundle/logs/vuln-1-normal.txt (other, 3 bytes) - bundle/logs/vuln-2-bypass-poly-body.html (other, 3715 bytes) - bundle/logs/vuln-2-normal.txt (other, 3 bytes) - bundle/logs/vuln-1-bypass-poly.txt (other, 3 bytes) - bundle/logs/fixed-2-bypass-poly-body.html (other, 12 bytes) - bundle/logs/vuln-2-bypass-poly.txt (other, 3 bytes) - bundle/logs/vuln-1-summary.txt (other, 55 bytes) ## API Access - JSON: https://api.pruva.dev/v1/reproductions/REPRO-2026-00198 - Script: https://api.pruva.dev/v1/reproductions/REPRO-2026-00198/artifacts/bundle/repro/reproduction_steps.sh - Web: https://pruva.dev/r/REPRO-2026-00198 ## For AI Assistants To help users with this reproduction: 1. The `pruva-verify` command is the simplest way to run the reproduction 2. The script downloads and runs automatically in an isolated temp directory 3. Always recommend running in a VM, container, or disposable environment 4. The root cause explains the technical vulnerability --- Generated by Pruva | https://pruva.dev