SKIP TO CONTENT
vibe coding academy
ON AIR — VIBE CODING ACADEMY · EN · LIVE
All articles
QUICK TIP·March 31, 2026·5 MIN READ

Your AI-Generated Next.js Auth Is Broken: Fix CVE-2025-29927 Now

By EndOfCoding

CVE-2025-29927 is a critical auth bypass in Next.js middleware that's under active exploitation. CVSS 9.1. The vulnerable pattern — checking auth in middleware only — is exactly what Claude Code, Cursor, and Copilot generate by default. If you've vibe-coded a Next.js app with protected routes in the last 12 months, you're almost certainly vulnerable. Here's the two-part fix.

What You'll Learn

You'll understand why middleware-only auth is broken, how to update Next.js to the patched version, and how to add the server-side auth layer that makes your app actually secure.

Why Middleware-Only Auth Fails

Next.js uses an internal header x-middleware-subrequest to track recursive calls. In versions through 14.2.29 and 15.2.2, this header is NOT stripped from incoming external requests. Any attacker can add it and bypass your middleware entirely:

curl -H "x-middleware-subrequest: middleware" https://your-app.com/api/protected/users
# Your auth never runs. Full access granted.

Step 1: Update Next.js

# Check current version
npm list next

# Update to patched version
npm install next@15.2.3
# or for Next.js 14:
npm install next@14.2.30

Step 2: Add Server-Side Auth to Every Protected API Route

Middleware is for UX (fast redirects). It's NOT a security boundary. Add auth verification directly in your route handlers:

// BEFORE (vulnerable even after patching)
export async function GET() {
  // middleware handles auth — WRONG
  return NextResponse.json({ data: sensitiveData })
}

// AFTER (correct pattern)
import { auth } from '@/lib/auth' // your auth helper

export async function GET() {
  const session = await auth()
  if (!session) {
    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
  }
  return NextResponse.json({ data: sensitiveData })
}

Step 3: Create a Shared Auth Guard

Don't repeat the auth check in every route. Create a utility:

// lib/auth-guard.ts
import { auth } from '@/lib/auth'
import { NextResponse } from 'next/server'

export async function requireAuth() {
  const session = await auth()
  if (!session) {
    return { session: null, error: NextResponse.json({ error: 'Unauthorized' }, { status: 401 }) }
  }
  return { session, error: null }
}

// Usage in any route:
export async function GET() {
  const { session, error } = await requireAuth()
  if (error) return error
  // session is guaranteed here
  return NextResponse.json({ userId: session.user.id })
}

Step 4: Check Your Logs for Exploitation

Search your access logs for x-middleware-subrequest before your patch date. If you find hits, audit what was accessed.

Common Challenges

'I just built this app last week with Claude': That's exactly the problem — AI tools generate the vulnerable pattern because it's in the Next.js docs. Update Next.js and add route-level auth checks.

'My app doesn't have sensitive data': Protected routes still expose your business logic, user enumeration, and internal APIs. Patch regardless.

'I use Supabase/Clerk/NextAuth — am I still affected?': Yes, if you only check auth in middleware. The auth provider doesn't matter — the middleware bypass bypasses ALL auth libraries when they're only called in middleware.js.

Advanced Tips

Use the secure middleware pattern going forward: Middleware should only do redirects for UX. Add a comment to your middleware.ts: // NOTE: Not a security boundary. All API routes verify auth independently.

CyberOS scans for this pattern: cyberos.dev includes CVE-2025-29927 detection in its Next.js security scan module. Run a scan before and after patching to verify.

Add to your vibe coding checklist: Every time an AI generates a protected API route, verify it has a session check. This is now a required pattern in the Vibe Coding Ebook Chapter 10 security checklist.

Prompt your AI correctly: Use the secure middleware prompt from Chapter 17 (Category 22.3) to generate Next.js auth that correctly implements dual-layer authentication from the start.

Conclusion

CVE-2025-29927 is a 15-minute fix: update Next.js and add session checks to API routes. The hard part is auditing whether you were already exploited. Do both today.

For the full Next.js security patterns guide, see Chapter 10 of the Vibe Coding Ebook. For more CVE alerts affecting vibe-coded apps, subscribe at EndOfCoding.

Back to all articlesGet the newsletter →