Primary

Context

Next.js Middleware Subrequest ID Leakage Vulnerability

Vulnerability

Patched

A vulnerability exists in Next.js Middleware that allows the `x-middleware-subrequest-id` to be sent to third-party hosts, potentially leading to unintended information disclosure. This issue arises because the subrequest ID, intended for internal use, is automatically included in fetch requests to external services, regardless of the host. The vulnerability affects Next.js versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3.

Impact

Exploitation of this vulnerability could result in the unintended leakage of the `x-middleware-subrequest-id` to external hosts, which may be misused if the third party is controlled by an attacker.

Remediation

Users are advised to update Next.js to version 12.3.6, 13.5.10, 14.2.26, or 15.2.4. Vercel customers are already protected by platform mitigations.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.0

exploitability

6.5

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.0

exploitability

6.5

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Next.js Middleware Subrequest ID Leakage Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Vercel Next.js

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating