Critical Security Advisory: Next.js Middleware Authorization Bypass (CVE-2025-29927)

On March 21st, 2025, a critical vulnerability (CVE-2025-29927) was disclosed affecting Next.js, the framework used by many storefronts built on HDL Commerce. This flaw could allow unauthorized access to routes protected by middleware, putting sensitive customer and business data at risk.

At HDL Commerce, we responded immediately to investigate, patch, and communicate with all affected clients.

What Happened?

The vulnerability stems from how Next.js middleware handles a special HTTP header:
x-middleware-subrequest

This header is used internally by the framework to manage request lifecycles. However, due to a flaw in validation logic, attackers could spoof this header—causing the application to skip critical middleware logic, including authentication and authorization steps.

In other words, a bad actor could potentially bypass login requirements or access internal routes if your storefront relied solely on middleware for access control.

Who Was Affected?

This impacted all storefronts using:

  • Next.js versions 11.1.4–13.5.6,
  • 14.0–14.2.24, and
  • 15.0–15.2.2

Several of our clients—such as Dogman, Zonefloorball, and Sail Racing—run storefronts built with Next.js and were potentially affected depending on their implementation.

HDL Commerce Response

✅ Upon discovery, our team:

  • Audited all storefront repositories
  • Deployed patches for any storefront using a vulnerable version
  • Tested and verified critical middleware and auth logic
  • Removed or blocked the misuse of the header at infrastructure level when needed
  • Logged the task as: Authorization Bypass in Next.js Middleware

This task was logged under client storefront scope, as this issue sits outside the core HDL Commerce platform API, and was instead handled within the customized storefront layer.

Core Platform vs Storefront Responsibility

At HDL, it’s important to distinguish two key components in our architecture:

ComponentDescriptionBilling
HDL Commerce CoreOur platform API engine—modular, headless, and secure.Covered by your license
StorefrontThe customer-facing site, customized per brand (e.g., Dogman, Zonefloorball)Time-based billing applies

The vulnerability was not in our platform core—it originated in the Next.js storefront framework, which is an external dependency. As such, fixes and adjustments were handled under your active support/retainer plan.

What You Should Do

We’ve already taken action for our managed storefronts. However, if you’re maintaining your storefront with your internal team or another partner:

  1. Check your Next.js version — Upgrade to:
    • 12.3.5+
    • 13.5.9+
    • 14.2.25+
    • 15.2.3+
  2. Strip the header at your proxy/load balancer
  3. Avoid relying solely on middleware for auth
    • Add route-level protection wherever applicable

Final Thoughts

This incident is a reminder that middleware should not be your only line of defense. At HDL Commerce, we always advocate for defense-in-depth, combining secure APIs, robust frameworks, and proactive monitoring.

If you have questions about your storefront’s security posture—or want us to conduct a quick audit—please contact your project manager or reach out to our support team.

Stay safe, stay updated.
– HDL Commerce Engineering Team