Next.js may leak x-middleware-subrequest-id to external hosts

GHSA-223j-4rm8-mrmf · CVE-2025-30218

Published Apr 2, 2025 · Modified Oct 13, 2025

Description

Summary

In the process of remediating CVE-2025-29927, we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers.

Learn more here.

Credit

Thank you to Jinseo Kim kjsman and RyotaK (GMO Flatt Security Inc.) with takumi-san.ai for the responsible disclosure. These researchers were awarded as part of our bug bounty program.

References

WEB https://github.com/vercel/next.js/security/advisories/GHSA-223j-4rm8-mrmf
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-30218
PACKAGE https://github.com/vercel/next.js
WEB https://vercel.com/changelog/cve-2025-30218-5DREmEH765PoeAsrNNQj3O

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes