Protect against Next.js CVE-2025-29927 with Azure Web Application Firewall (WAF)

Next.js versions prior to 12.3.5, 13.5.9, 14.2.25 and 15.2.3 are vulnerable to bypass authorization checks within a Next.js application, according to a recently published CVE-2025-29927. 

It is strongly recommended to upgrade Next.js to a patched version – 12.3.5, 13.5.9, 14.2.25 or 15.2.3. 

For Next.js versions 11.x which currently have no patches available, or other applications based on Next.js which cannot be patched immediately - creating a custom rule in Azure WAF can help mitigate this vulnerability. The custom rule will block any request with the header 'x-middleware-subrequest' which is used as part of this attack. Note that this rule is not exploitation-specific rule, but rather a more general approach which would block legitimate sites using auth middleware. 

Create a custom rule to mitigate CVE-2025-29927

1. In Azure Portal, navigate to your Web Application Firewall, then select 'Settings' -> 'Custom Rules'.
2. Click on 'Add Custom Rule' button.
3. Give your custom rule a name, like 'CVE202529927', and set its priority from 1-100.
4. In the Conditions, select Match Type = 'String', Match Variable = 'RequestHeaders', and 'Header Name' = 'x-middleware-subrequest'.
5. Under 'Operation' select 'is', set 'Operator' to 'Regex' and the Match Values to '.*'
6. Under 'Then' section, select 'Deny Traffic' to block any request containing this header.
7. Click 'OK' to complete editing, then select 'Save' to apply the new rule.

You can find more information about Custom Rules on Azure WAF for Application Gateway here  or for Azure Front Door here.