Ah oui tiens, ce n'est pas mentionné dans cet article, mais j'avais lu l'explication ailleurs :

CVE-2025-29927 - Understanding the Next.js Middleware VulnerabilityStrobes SecurityA critical Next.js Vulnerability (CVE-2025-29927) lets attackers bypass authentication. Learn how it works and protect your application now.

How The Bug Actually Works

The problem stems from a mechanism designed to prevent infinite loops. Next.js needed a way to stop middleware from calling itself endlessly, so developers added a counter.

Here’s what happens:
1. Every time middleware runs, Next.js checks a special header called x-middleware-subrequest
2. This header contains a count of how many times middleware has run
3. If it has run too many times (5 by default), Next.js skips the middleware entirely
4. The critical flaw: anyone can set this header themselves