In the process of remediating CVE-2025-29927 , we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers. Link to heading Summary To mitigate CVE-2025-29927 , Next.js validated the x-middleware-subrequest-id which persisted across multiple incoming requests: const randomBytes = new Uint8Array ( 8 ) crypto . getRandomValues ( randomBytes ) const middlewareSubrequestId = Buffer . from ( randomBytes ) . toString ( 'hex' ) ; ( globalThis as any ) [ Symbol . for ( '@next/middleware-subrequest-id' ) ] = middlewareSubrequestId However, this subrequest ID is sent to all requests, even if the destination is not the same host as the Next.js application. init . headers . set ( 'x-middleware-subrequest-id' , ( globalThis as any ) [ Symbol . for ( '@next/middleware-subrequest-id' ) ] ) Initiating a fetch request to a third-party within Middleware will send the x-middleware-subrequest-id to that third party.…