Next.js Penetration Testing: Middleware Bypass, Cache Poisoning & Modern React Security

Next.js applications combine server rendering, edge middleware, ISR cache, and server actions — each a unique attack surface. The 2024 Next.js vulnerabilities include CVE-2024-43481 (middleware bypass, CVSS 9.1), CVE-2024-46982 (ISR cache poisoning), and CVE-2024-34351 (SSRF). Matproof Sentinel runs targeted Next.js pentests with proof-of-exploit and audit-ready DORA / NIS2 / ISO 27001 reports from €149.

Start free scan

Written by Malte Wagenbach

Founder of Matproof Security. Specialized in AI-driven penetration testing and EU compliance (DORA, NIS2, ISO 27001, SOC 2).

Last reviewed: May 17, 2026

Why Next.js demands specific pentest expertise

Next.js is the most popular React framework for modern full-stack applications, but its unique attack surface demands specific testing expertise. CVE-2024-43481 (CVSS 9.1, March 2024) enables complete authentication middleware bypass via the x-middleware-subrequest header — an unauthenticated attacker accesses protected routes including admin panels and transaction endpoints. CVE-2024-46982 exposes Next.js apps to ISR (Incremental Static Regeneration) cache poisoning. CVE-2024-34351 enables SSRF attacks via mishandled relative URLs. Beyond CVEs, Next.js 13+ Server Actions introduce new security patterns: server-side input validation, explicit authorization per action, and proper revalidate tag handling. For organizations under DORA Art. 24 or NIS2, a documented Next.js pentest is standard to demonstrate technical compliance.

CVE-2024-43481 (CVSS 9.1): complete Next.js middleware bypass via x-middleware-subrequest header — unauthenticated access to protected routes including admin panels and payment endpoints.
CVE-2024-46982: ISR cache poisoning — attacker manipulates the regenerated static cache, serving compromised content to other users without authentication required.
CVE-2024-34351: SSRF via malformed relative URLs — access to cloud metadata endpoints (AWS IMDSv1, Google metadata server) and internal services.
Server Actions (Next.js 13+): new security model requires server-side input validation and explicit authorization per action — an unguarded Server Action equals a public API endpoint.
Cache strategies (ISR, dynamic, force-static): misconfigurations can leak cached data across users — particularly critical for multi-tenant SaaS applications.
Edge middleware on Vercel / Cloudflare: limited runtime environments require specific tests to avoid bypass via environment differences.
For applications under DORA Art. 24, NIS2, or GDPR Art. 32, a documented Next.js pentest is standard compliance evidence.

What we specifically test in a Next.js application

Middleware bypass (CVE-2024-43481): test with manipulated x-middleware-subrequest headers to access protected routes; verify Next.js versions < 14.2.25 / < 13.5.7 / < 15.0.4.
ISR cache poisoning (CVE-2024-46982): test of cache manipulation via x-now-route-matches header; verify revalidate-on-stale configuration.
SSRF via Next.js server (CVE-2024-34351): malformed relative URLs, attempt to reach cloud metadata endpoints (169.254.169.254/), internal VPC services.
Server Actions security: Zod / Yup input validation, explicit authorization per action, correct useFormState with output sanitization.
API routes: standard OWASP Top 10 (injection, broken auth, IDOR), TypeScript runtime type validation with Zod, rate limiting (no default in Next.js).
next.config.js configuration: security headers (CSP strict, HSTS with preload), images.remotePatterns to avoid whitelist bypass.
Authentication patterns: Next-Auth / Auth.js, Clerk, Lucia — JWT signing verification, session cookie flags (Secure, HttpOnly, SameSite), proper CSRF handling.
Vercel-specific: edge functions vs node runtime, client-side exposed environment variables (NEXT_PUBLIC_*), preview deployments with authentication.
Composition Analysis: package.json + package-lock.json for CVEs in dependencies (next, react, react-dom), transitive audit with npm audit --production.
TypeScript strict mode: noUncheckedIndexedAccess to prevent runtime errors from undefined indices, strictNullChecks for type integrity.

Sample finding

Critical

CVE-2024-43481 — Middleware bypass via x-middleware-subrequest header

The Next.js 14.2.3 application is vulnerable to CVE-2024-43481, allowing complete authentication middleware bypass via manipulated HTTP header x-middleware-subrequest value. An unauthenticated attacker can send a request like 'GET /admin/users HTTP/1.1 + x-middleware-subrequest: src/middleware:src/middleware:src/middleware:src/middleware:src/middleware' which causes the authentication.ts middleware to be skipped. The test gained access to /admin/users (admin panel with complete user list, emails, roles), /admin/orders (orders panel with partial payment data), and /api/admin/* endpoints without authentication. The vulnerability is documented and patched in Next.js ≥ 14.2.25, ≥ 13.5.7, ≥ 15.0.4. Time to exploit: 12 seconds.

Fix: Immediate action (priority 1): update Next.js to patched version: ≥ 14.2.25 for 14.x line, ≥ 13.5.7 for 13.x line, ≥ 15.0.4 for 15.x line. Verification: after update, retry the exploit with same payload — must return 401/403. Complementary actions: implement second-layer authorization at API route / Server Action level (never rely on middleware as sole defense); enable Content-Security-Policy strict with report-uri to detect exploitation attempts; configure WAF (Cloudflare, AWS WAF) with explicit block rule for x-middleware-subrequest header from non-internal sources.

Reference: CVE-2024-43481 (CVSS 9.1) · CWE-285 Improper Authorization · OWASP A01:2021 Broken Access Control · Next.js Security Advisory GHSA-7gfc-8cq8-jh5f

Next.js pentest options compared

—	Free scan	Matproof Sentinel	Traditional consultancy
Automated scan engine	✓ (3-min preview)	✓ Full scan	✗ Manual only
OWASP Top 10 coverage	Partial	✓ Complete	✓ Complete
Proof-of-exploit evidence	✗	✓ Per finding	✓ Per finding
Regulatory mapping (DORA/NIS2/ISO 27001)	✗	✓ Automated	✓ Manual
Audit-ready PDF report	✗	✓ Instant	✓ 2–4 weeks delivery
Continuous / recurring scans	✗	✓ Per deploy	✗ Annual engagement
Time to first result	~3 min	~30 min full scan	2–4 weeks
Price	€0	From €149	€8,000–€25,000
Source code review (SAST)	✗	✓ On Growth plan	✓ Scoped engagement
API testing (REST/GraphQL)	✗	✓ Automated	✓ Manual

Next.js pentest packages

Single Run

€149 one-time

1 full pentest scan
AI-prioritized findings with CVSS 3.1
Proof-of-exploit per finding
Audit-ready PDF report
Regulatory mapping (DORA, NIS2, ISO 27001)

Unlimited scans (up to 3 domains)
Continuous monitoring
CI/CD integration (GitHub, GitLab)
All regulatory mappings
Priority support

Start Starter →

Growth

€799 / month

Unlimited scans + domains
Authenticated / White-Box testing
API & cloud infrastructure tests
Dedicated security account manager
24h SLA response time

Contact for Growth →

Frequently asked questions about Next.js pentest

Which Next.js versions are affected by CVE-2024-43481?

All Next.js versions < 14.2.25 (14.x line), < 13.5.7 (13.x line), and < 15.0.4 (15.x line) are vulnerable. The vulnerability was disclosed and patched on March 14, 2024. Next.js versions < 12.x are not directly affected but are End-of-Life since 2023 and should be migrated.

Does the pentest cover Vercel, Cloudflare Workers, AWS Amplify, or only self-hosted?

We cover all Next.js deployment targets: Vercel (with Edge Functions vs Node Runtime specifics), Cloudflare Workers + Pages, AWS Amplify, Netlify, and self-hosted (Node.js, Docker, Kubernetes). For Vercel, we also test preview deployments with authentication, Edge Config, and KV store. For Cloudflare, Durable Objects and D1 database connections.

Do you also test Next.js App Router (Next.js 13+) or only Pages Router?

Both. App Router (Next.js 13+) has new security patterns: Server Actions, Streaming SSR, parallel routes with differentiated authentication, layout-level data fetching. For classic Pages Router (still in use in 65% of Next.js codebases per Vercel 2024), we test legacy patterns: getServerSideProps, API routes /pages/api/*.

How long does a complete Next.js pentest take?

Full automated scan (CVE-2024-43481, cache poisoning, SSRF, Server Actions, OWASP Top 10) takes about 60 minutes for a typical Next.js application. For complex applications (Next.js microservices, multi-tenant SaaS, global edge deployment), 2-3 hours. Audit-ready report within 24 hours.

Can we integrate Matproof Sentinel into our CI/CD with Vercel or Cloudflare?

Yes, in Starter (€299/mo) and Growth (€799/mo). For Vercel: GitHub Actions integration triggered on preview deployments — fast scan (15 min) on each PR, complete weekly scan on production. For Cloudflare: webhook integration with Cloudflare Workers Deployment events. Critical/High findings can automatically block merge via GitHub Status Checks.

Do you also test Next.js applications with tRPC, GraphQL, or REST APIs?

All API patterns: tRPC (with Zod validation and router authorization specifics), GraphQL (Apollo Server, GraphQL Yoga, urql) focused on query depth limiting, introspection in production, and batch attacks. Classic REST API OWASP API Top 10 (2023).

Is the Matproof Sentinel report accepted for DORA Art. 24 or NIS2 audits?

Yes. The technical report is structured with explicit mapping to DORA Art. 24 (regular pentest), DORA Art. 25 (vulnerability management), NIS2 Art. 21 (technical measures), and ISO 27001:2022 A.8.29 (security testing in development). For Vercel headless deployments, we include specific evidence for the security questionnaire of common SaaS marketplaces.

What happens if we find Critical findings during the pentest?

Immediate email notification within 15 minutes of detection. The report includes: CVSS 3.1 severity, step-by-step reproduction with exact command, evidence (screenshot, request/response), impact analysis, and actionable remediation with example code. For Critical findings with potential immediate exploitation, we offer emergency response: direct call with a Matproof security engineer within 2 business hours.

Go deeper — related blog articles

Protect your Next.js application now

First scan in 3 minutes, complete Next.js pentest in 60 minutes with proof-of-exploit for every finding. Audit-ready DORA / NIS2 / ISO 27001 report from €149.