→

CVE-2025-30218: Next.js may leak x-middleware-subrequest-id to external hosts

Summary

In the process of remediating CVE-2025-29927, we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers.

Learn more here.

Credit

Thank you to Jinseo Kim kjsman and RyotaK (GMO Flatt Security Inc.) with takumi-san.ai for the responsible disclosure. These researchers were awarded as part of our bug bounty program.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-30218

CVE-2025-30218:

1.7

CVSS Score

4.0

-

CVSS Score

-

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
next	npm	= 12.3.5	12.3.6
next	npm	= 13.5.9	13.5.10
next	npm	= 14.2.25	14.2.26
next	npm	= 15.2.3	15.2.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key behaviors visible in the provided code snippets: 1) The middlewareSubrequestId is stored in global scope without proper isolation, and 2) The x-middleware-subrequest-id header is added to all fetch requests regardless of destination. The primary vulnerable function is the request handler that adds the header to outgoing requests (NextMiddleware.run), while the global storage mechanism (MiddlewareRequestHandler.processRequest) enables the leakage. These would appear in runtime profiles during middleware execution and external fetch operations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

1.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-30218: Next.js may leak x-middleware-subrequest-id to external hosts

Summary

Credit

CVE-2025-30218:

1.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Detect and Respond To Threats Faster.

Technical Details

CVE-2025-30218: Next.js may leak x-middleware-subrequest-id to external hosts

Summary

Credit

1.7

1.7

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

1.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-30218: Next.js may leak x-middleware-subrequest-id to external hosts

Summary

Credit

CVE-2025-30218:

1.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

CVE-2025-30218: Next.js may leak x-middleware-subrequest-id to external hosts

Summary

Credit

1.7

1.7

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI