Addressing the Critical Next.js Vulnerability: Updates to Agility CMS Example Repos and Starters
The overview and impact of the vulnerability and how Agility is protecting you.
| The document addresses a critical security vulnerability (CVE-2025-29927) in Next.js, allowing attackers to bypass middleware-based security controls. Agility CMS has updated its example repositories and starters to mitigate this risk, enhancing middleware security, authentication, authorization, and path rewriting. |
Overview of the Vulnerability
A critical security vulnerability (CVE-2025-29927, also detailed here) has been discovered in Next.js, a popular React-based web framework, which Agility CMS has several starters and reference projects for. This vulnerability allows attackers to bypass middleware-based security controls by manipulating the x-middleware-subrequest header, which was intended to be for internal use only in hosting environments. The flaw affects authentication flows, authorization controls, path rewriting, and security header implementations across multiple Next.js versions, potentially exposing numerous web applications to unauthorized access.
Impact on Next.js Applications
The vulnerability is particularly concerning for applications that rely on middleware for implementing access controls. Attackers can gain unauthorized access to protected resources, bypass authentication requirements, and circumvent security headers like Content Security Policy (CSP). The affected versions include Next.js 11.1.4 through 13.5.6, 14.x before 14.2.25, and 15.x before 15.2.3.
Response from Agility CMS
Due to this vulnerability, we are in the process of udpating our example repositories and starters for better security. Specifically, the Agility CMS Next.js Starter with Authenticated Routes has been revised to mitigate the risks associated with CVE-2025-29927.
Key Updates
-
Middleware Security Enhancements:
- The middleware implementation has been fortified to prevent unauthorized access by validating the x-middleware-subrequest header more rigorously.
- Additional checks have been introduced to ensure that requests cannot bypass security controls through header manipulation.
-
Authentication and Authorization Improvements:
- Enhanced authentication flows to ensure that user sessions are securely managed and validated.
- Strengthened authorization controls to protect sensitive routes and resources from unauthorized access. This is done by including the auth logic in BOTH the middleware and in the page.tsx files.
-
Path Rewriting and Security Headers:
- Improved path rewriting mechanisms to prevent attackers from reaching protected endpoints.
- Reinforced security headers, including CSP, to safeguard against potential exploits.
How to Update Your Projects
If you aren’t doing authenticated routes in your project, or if you aren’t using middleware at all, your project might not need to be updated, at least not with as much urgency.
Please note that websites deployed to Netlify are apparently not affected by this vulnerability, as outlined per this support post.
The upgrade guidelines provided in the Next.js Git repo https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw outline the various update pathways available for the currently supported versions.
If you are on major version 15, you should be updating to 15.2.3. For version 14, the fix is addressed in version 14.2.25.
For all other versions, there is a workaround described at the link above.
Within your own codebase, here are some things to look for:
-
Review and Apply Middleware Changes:
- Ensure that your middleware implementation aligns with the updated security practices outlined on the Next.js website.
- Make sure that any authorization checks are being done both at the middleware and the page/route level.
-
Test Your Application:
- Thoroughly test your application to confirm that the updates have been applied correctly and that your security controls are functioning as intended.
- Validate that the x-middleware-subrequest header attack does not affect your site, and implement additional security checks as needed. You can use a tool like PostMan or curl to do this. Publicly available testing guidelines are not yet available, but they should soon be.
By following these steps, you can ensure that your Next.js applications are protected against the critical vulnerability and continue to provide a secure experience for your users. 55558888
About the Author
Joel is CTO at Agility. His first job, though, is as a father to 2 amazing humans.
Joining Agility in 2005, he has over 20 years of experience in software development and product management. He embraced cloud technology as a groundbreaking concept over a decade ago, and he continues to help customers adopt new technology with hybrid frameworks and the Jamstack. He holds a degree from The University of Guelph in English and Computer Science. He's led Agility CMS to many awards and accolades during his tenure such as being named the Best Cloud CMS by CMS Critic, as a leader on G2.com for Headless CMS, and a leader in Customer Experience on Gartner Peer Insights.
As CTO, Joel oversees the Product team, as well as working closely with the Growth and Customer Success teams. When he's not kicking butt with Agility, Joel coaches high-school football and directs musical theatre. Learn more about Joel HERE.
