← All posts
criticalJun 28, 2026·6 min read

Next.js middleware bypass: one header to skip your auth

A crafted x-middleware-subrequest header lets attackers skip middleware entirely. If your auth lives there, patch now — we walk through detection, exploitation, and the fix.

ZA

Zach Winchester

chaosbyte crew

Next.js uses an internal header, x-middleware-subrequest, to track recursive middleware calls. The flaw: any external request can set that header, and the framework trusts it — skipping middleware execution entirely.

How the bypass works

Middleware in Next.js is the canonical place teams enforce authentication redirects, feature flags, and rate limits. If you can make the runtime believe the request is already inside a middleware sub-call, those checks never run.

# auth bypass — one header
curl -H "x-middleware-subrequest: middleware" \
     https://target.example/admin

# Response: 200 OK (should be 401)

What our AI caught in the wild

During automated scans we run against our own test targets and opted-in clients, we detected this pattern in three separate applications using Next.js 14.x between version 14.1.0 and 14.2.24. All three had authentication enforced solely in middleware with no fallback check at the API route level.

How to fix it

  1. Upgrade immediately. Patch to Next.js ≥15.2.3 or ≥14.2.25. The fix strips the internal header from external requests at the edge runtime level.
  2. Never rely on middleware alone. Enforce auth at the API route or server component level too. Middleware is a UX convenience layer, not a security boundary.
  3. Block the header at your CDN or WAF. Strip x-middleware-subrequest on inbound requests at the edge if you can't patch immediately. Cloudflare, Vercel, and AWS WAF all support header stripping rules.

Detection query

Check your access logs for inbound requests carrying the header. In most log formats:

grep -i "x-middleware-subrequest" /var/log/nginx/access.log