CVE-2025-30218 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the Next.js framework by Vercel. Next.js uses an internal header, x-middleware-subrequest-id, to track subrequests within its middleware processing pipeline. To address a previous vulnerability (CVE-2025-29927), Next.js implemented validation of this header to ensure it persisted only across legitimate internal requests. However, the vulnerability arises because this header is indiscriminately sent with all fetch requests initiated within middleware, including those targeting third-party hosts outside the Next.js application domain. Consequently, sensitive internal identifiers meant for internal tracking can be leaked to external, potentially untrusted parties. The affected Next.js versions are 12.3.5, 13.5.9, 14.2.25, and 15.2.3. The issue is fixed in versions 12.3.6, 13.5.10, 14.2.26, and 15.2.4. The CVSS 4.0 base score is 1.7, indicating low severity, primarily because the exposed information is limited to a request identifier, exploitation requires network access to trigger middleware fetches, and no authentication or user interaction is needed. No known exploits have been reported in the wild. This vulnerability can lead to unauthorized disclosure of internal request tracking data, which might aid attackers in reconnaissance or correlation of requests but does not directly compromise system integrity or availability.

For European organizations, the impact of CVE-2025-30218 is primarily related to confidentiality. Leakage of the x-middleware-subrequest-id to third-party services could allow attackers or external entities to correlate internal request flows or gain insight into application behavior. While this does not directly lead to system compromise or data manipulation, it can weaken privacy guarantees and potentially assist in more sophisticated attacks such as session correlation or traffic analysis. Organizations heavily reliant on Next.js for their web applications, especially those integrating multiple third-party services via middleware fetch calls, are at risk of inadvertently exposing internal identifiers. This could be particularly concerning for sectors handling sensitive user data, such as finance, healthcare, or government services. However, the low CVSS score and absence of known exploits suggest the immediate risk is limited. Still, failure to address this vulnerability could erode user trust and compliance with data protection regulations like GDPR if sensitive information is leaked externally.

The primary mitigation is to upgrade all affected Next.js instances to the patched versions: 12.3.6, 13.5.10, 14.2.26, or 15.2.4, depending on the version in use. Beyond upgrading, organizations should audit their middleware fetch requests to third-party domains to ensure no sensitive headers or internal identifiers are unintentionally forwarded. Implement strict header filtering or sanitization in middleware to prevent leakage of internal tracking headers to external services. Additionally, review third-party integrations to assess the necessity and security posture of external endpoints receiving requests from middleware. Employ network monitoring to detect unusual outbound requests carrying internal headers. Finally, incorporate this vulnerability into regular security assessments and developer training to raise awareness about secure middleware practices in Next.js applications.