CVE-2025-29927
CRITICAL9.1EPSS 92.1%Authorization Bypass in Next.js Middleware
Description
# Impact It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. # Patches * For Next.js 15.x, this issue is fixed in `15.2.3` * For Next.js 14.x, this issue is fixed in `14.2.25` * For Next.js 13.x, this issue is fixed in 13.5.9 * For Next.js 12.x, this issue is fixed in 12.3.5 * For Next.js 11.x, consult the below workaround. _Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability._ # Workaround If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the `x-middleware-subrequest` header from reaching your Next.js application. ## Credits - Allam Rachid (zhero;) - Allam Yasser (inzo_)
Affected packages (1)
- npm/next>= 13.0.0, < 13.5.9
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
References (11)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-29927
- PATCHhttps://github.com/vercel/next.js
- WEBhttps://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2
- WEBhttps://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48
- WEBhttps://github.com/vercel/next.js/releases/tag/v12.3.5
- WEBhttps://github.com/vercel/next.js/releases/tag/v13.5.9
- WEBhttps://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw
- WEBhttps://security.netapp.com/advisory/ntap-20250328-0002
- WEBhttps://vercel.com/changelog/vercel-firewall-proactively-protects-against-vulnerability-with-middleware
- WEBhttp://www.openwall.com/lists/oss-security/2025/03/23/3
- WEBhttp://www.openwall.com/lists/oss-security/2025/03/23/4