In the process of remediating , we looked at other possible exploits of Middleware. We independently verified this in parallel with two reports from independent researchers.CVE-2025-29927low severity vulnerability To mitigate , Next.js validated the which persisted across multiple incoming requests:CVE-2025-29927x-middleware-subrequest-id However, this subrequest ID is sent to all requests, even if the destination is not the same host as the Next.js application. Initiating a fetch request to a third-party within Middleware will send the to that third party.x-middleware-subrequest-id While the exploitation of this vulnerability is unlikely due to an attacker requiring control of the third-party, we want to be proactive.

We were already planning on removing this recursion prevention logic from Middleware—it was not supported in newer updates to Middleware to support the Node.js runtime—this disclosure expedited our efforts to bring parity between runtimes. Vercel customers are protected with mitigations already implemented within our platform environment. We still encourage teams to update to the latest Next.js patch version or their chosen backport. Other infrastructure providers…