Description
Next.js is a React framework for building full-stack web applications. To mitigate CVE-2025-29927, Next.js validated the x-middleware-subrequest-id which persisted across multiple incoming requests. However, this subrequest ID is sent to all requests, even if the destination is not the same host as the Next.js application. Initiating a fetch request to a third-party within Middleware will send the x-middleware-subrequest-id to that third party. This vulnerability is fixed in 12.3.6, 13.5.10, 14.2.26, and 15.2.4.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/vercel/next.js/security/advisories/GHSA-223j-4rm8-mrmf
Vendor Advisory x_refsource_misc
https://vercel.com/changelog/cve-2025-30218-5DREmEH765PoeAsrNNQj3O
Scores
CVSS v3
5.9
EPSS
0.0023
EPSS Percentile
46.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (5)
npm/next
12.3.5 - 12.3.6npm
vercel/next.js
12.3.5
vercel/next.js
13.5.9
vercel/next.js
14.2.25
vercel/next.js
15.2.3
Published
Apr 02, 2025
Tracked Since
Feb 18, 2026