Skip to content

x-middleware-subrequest issue with Edge Runtime #77466

New issue
New issue
Open
Bug
Open
x-middleware-subrequest issue with Edge Runtime#77466
Bug
Labels
HeadersRelated to the async headers() function.MiddlewareRelated to Next.js Middleware.RuntimeRelated to Node.js or Edge Runtime with Next.js.
@enricoros

Description

@enricoros
enricoros
opened on Mar 24, 2025

Link to the code that reproduces this issue

https://github.com/enricoros/repro-nextjs-edge-issue

To Reproduce

  1. Clone and build the repro, or try it on https://repro-nextjs-edge-issue.vercel.app/
  2. Enter the Perplexity API Key (why perplexity is explained later, but has to do with Cloudflare)
  3. Test the same API Call from Node.js and Edge runtimes
  4. Node.js works, Edge fails
  5. The culprit is in the "x-middleware-subrequest" header sent by the "fetch" request from the Edge runtime (never specified by the user)

Example of running this repro:
Image

Current vs. Expected behavior

As a user of the fetch() API to call api endpoints, I expect it to work from both NodeJS and Edge Runtime requests. However what happens is that outgoing request headers differ without any user input.

The substantial difference from Node to Edge as far as outgoing HTTP (fetch) request is:

  • User agent: node vs Next.js Middleware
  • x-middleware-subrequest: present /api/edge vs absent
  • nothing else is meaningful

As this relates to https://nextjs.org/blog/cve-2025-29927, overzealous providers such as Cloudflare may block the fetch request when x-middleware-subrequest is present, rejecting all API calls from Edge Runtimes.

Provide environment information

Operating System:
  Platform: win32
  Arch: x64
  Version: Windows 11 Home
  Available memory (MB): 65142
  Available CPU cores: 16
Binaries:
  Node: 22.14.0
  npm: 10.9.2
  Yarn: 1.22.19
  pnpm: N/A
Relevant Packages:
  next: 15.2.3 // Latest available version is detected (15.2.3).
  eslint-config-next: N/A
  react: 19.0.0
  react-dom: 19.0.0
  typescript: 5.8.2
Next.js Config:
  output: N/A

Which area(s) are affected? (Select all that apply)

Headers, Middleware, Runtime

Which stage(s) are affected? (Select all that apply)

next dev (local), next build (local), next start (local), Vercel (Deployed)

Additional context

This relates to https://nextjs.org/blog/cve-2025-29927 and https://developers.cloudflare.com/changelog/2025-03-22-next-js-vulnerability-waf/.

Due to the recent vulnerability some providers such as Cloudflare may block "x-middleware-subrequest".

Despite using the latest version of NextJS, fetch() (nodejs) requests that are made from the Edge runtime (export const runtime="edge", as opposed to ...="nodejs") will contain headers that will trigger the blocking rules.

In this report, we show how calling the Perplexity API (one API behind Cloudflare policies) will result in blockage of requests coming from Edge Runtime fetch() calls, and not from the NodeJS Runtime fetch() calls.

Note that the user does not seem to have control of the headers that get injected by NextJS and so does not have any possibility of fixing the issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    HeadersRelated to the async headers() function.MiddlewareRelated to Next.js Middleware.RuntimeRelated to Node.js or Edge Runtime with Next.js.

    Type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions