x-middleware-subrequest issue with Edge Runtime

[enricoros]

Link to the code that reproduces this issue

https://github.com/enricoros/repro-nextjs-edge-issue

To Reproduce

1. Clone and build the repro, or try it on https://repro-nextjs-edge-issue.vercel.app/
2. Enter the Perplexity API Key (why perplexity is explained later, but has to do with Cloudflare)
3. Test the same API Call from Node.js and Edge runtimes
4. Node.js works, Edge fails
5. The culprit is in the "x-middleware-subrequest" header sent by the "fetch" request from the Edge runtime (never specified by the user)

Example of running this repro:

Current vs. Expected behavior

As a user of the fetch() API to call api endpoints, I expect it to work from both NodeJS and Edge Runtime requests. However what happens is that outgoing request headers differ without any user input.

The substantial difference from Node to Edge as far as outgoing HTTP (fetch) request is:

• User agent: node vs Next.js Middleware
• x-middleware-subrequest: present /api/edge vs absent
• nothing else is meaningful

As this relates to https://nextjs.org/blog/cve-2025-29927, overzealous providers such as Cloudflare may block the fetch request when x-middleware-subrequest is present, rejecting all API calls from Edge Runtimes.

Provide environment information

Operating System:
  Platform: win32
  Arch: x64
  Version: Windows 11 Home
  Available memory (MB): 65142
  Available CPU cores: 16
Binaries:
  Node: 22.14.0
  npm: 10.9.2
  Yarn: 1.22.19
  pnpm: N/A
Relevant Packages:
  next: 15.2.3 // Latest available version is detected (15.2.3).
  eslint-config-next: N/A
  react: 19.0.0
  react-dom: 19.0.0
  typescript: 5.8.2
Next.js Config:
  output: N/A

Which area(s) are affected? (Select all that apply)

Headers, Middleware, Runtime

Which stage(s) are affected? (Select all that apply)

next dev (local), next build (local), next start (local), Vercel (Deployed)

Additional context

This relates to https://nextjs.org/blog/cve-2025-29927 and https://developers.cloudflare.com/changelog/2025-03-22-next-js-vulnerability-waf/.

Due to the recent vulnerability some providers such as Cloudflare may block "x-middleware-subrequest".

Despite using the latest version of NextJS, fetch() (nodejs) requests that are made from the Edge runtime (export const runtime="edge", as opposed to ...="nodejs") will contain headers that will trigger the blocking rules.

In this report, we show how calling the Perplexity API (one API behind Cloudflare policies) will result in blockage of requests coming from Edge Runtime fetch() calls, and not from the NodeJS Runtime fetch() calls.

Note that the user does not seem to have control of the headers that get injected by NextJS and so does not have any possibility of fixing the issue.

[devajakamerus]

Isn't the whole subrequest header unnecessary in this case? It's a normal http request and the response doesn't even go thru middleware. It's just regular TCP connection , just blocking until request is done and then resume executing the middleware.