Miggo Logo
Miggo Vulnerability Database
CVE-2025-30218

CVE-2025-30218: Next.js may leak x-middleware-subrequest-id to external hosts

1.7

CVSS Score
4.0

Basic Information

CVE ID
CVE-2025-30218
GHSA ID
GHSA-223j-4rm8-mrmf
EPSS Score
0.19919%
CWE
CWE-200
Published
4/2/2025
Updated
4/3/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Package NameEcosystemVulnerable VersionsFirst Patched Version
nextnpm= 12.3.512.3.6
nextnpm= 13.5.913.5.10
nextnpm= 14.2.2514.2.26
nextnpm= 15.2.315.2.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key behaviors visible in the provided code snippets: 1) The middlewareSubrequestId is stored in global scope without proper isolation, and 2) The x-middleware-subrequest-id header is added to all fetch requests regardless of destination. The primary vulnerable function is the request handler that adds the header to outgoing requests (NextMiddleware.run), while the global storage mechanism (MiddlewareRequestHandler.processRequest) enables the leakage. These would appear in runtime profiles during middleware execution and external fetch operations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Summ*ry In t** pro**ss o* r*m**i*tin* [*V*-****-*****](*ttps://*it*u*.*om/**visori*s/**S*-***v-jwr*-m**w), w* look** *t ot**r possi*l* *xploits o* Mi**l*w*r*. W* in**p*n**ntly v*ri*i** t*is low s*v*rity vuln*r**ility in p*r*ll*l wit* two r*ports *

Reasoning

T** vuln*r**ility st*ms *rom two k*y ****viors visi*l* in t** provi*** *o** snipp*ts: *) T** `mi**l*w*r*Su*r*qu*stI*` is stor** in *lo**l s*op* wit*out prop*r isol*tion, *n* *) T** `x-mi**l*w*r*-su*r*qu*st-i*` *****r is ***** to *ll **t** r*qu*sts r*