CVE-2025-29927
Next.js Authorization Bypass in Middleware
Description
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
INFO
Published Date :
March 21, 2025, 3:15 p.m.
Last Modified :
April 8, 2025, 2:15 p.m.
Source :
[email protected]
Remotely Exploitable :
Yes !
Impact Score :
5.2
Exploitability Score :
3.9
Public PoC/Exploit Available at Github
CVE-2025-29927 has a 306 public PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-29927.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
vulnerable-nextjs-14-CVE-2025-29927
JavaScript
None
CSS TypeScript JavaScript
None
JavaScript TypeScript CSS
None
JavaScript TypeScript CSS
None
JavaScript TypeScript CSS
None
JavaScript TypeScript CSS
None
JavaScript TypeScript CSS
Cuckoo Scanner
Python
None
JavaScript TypeScript CSS
None
JavaScript TypeScript CSS
🔐 Python-based smart scanner for CVE-2025-29927 — Next.js middleware authentication bypass vulnerability. Detects meta refresh, keyword-based redirects, and more.
Python
None
JavaScript TypeScript CSS
None
JavaScript TypeScript CSS
None
JavaScript TypeScript CSS
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-29927 vulnerability anywhere in the article.
-
Help Net Security
Week in review: Chrome sandbox escape 0-day fixed, Microsoft adds new AI agents to Security Copilot
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Microsoft’s new AI agents take on phishing, patching, alert fatigue Microsoft is rolling out a new gen ... Read more
-
The Register
CrushFTP CEO's feisty response to VulnCheck's CVE for critical make-me-admin bug
CrushFTP's CEO is not happy with VulnCheck after the CVE numbering authority (CNA) released an unofficial ID for the critical vulnerability in its file transfer tech disclosed almost a week ago. Accor ... Read more
-
The Hacker News
CISA Warns of Sitecore RCE Flaws; Active Exploits Hit Next.js and DrayTek Devices
Vulnerability / Threat Intelligence The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two six-year-old security flaws impacting Sitecore CMS and Experience Platform (XP) to it ... Read more
-
Hackread - Latest Cybersecurity, Tech, AI, Crypto & Hacking News
Next.js Middleware Flaw Lets Attackers Bypass Authorization
A recent collaborative effort by researchers Rachid Allam and Yasser Allam has exposed a critical vulnerability within the Next.js framework, a widely used JavaScript framework based on React with nea ... Read more
-
Cyber Security News
CrushFTP HTTPS Port Vulnerability Leads to Unauthorized Access
Two critical vulnerabilities have been identified in widely used software: CrushFTP and Next.js. CrushFTP, a file transfer solution, contains a vulnerability allowing unauthorized access through stand ... Read more
The following table lists the changes that have been made to the
CVE-2025-29927 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by [email protected]
Apr. 08, 2025
Action Type Old Value New Value Changed Description Next.js is a React framework for building full-stack web applications. Prior to 14.2.25 and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 14.2.25 and 15.2.3. Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3. Added Reference https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2 Added Reference https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48 Added Reference https://github.com/vercel/next.js/releases/tag/v12.3.5 Added Reference https://github.com/vercel/next.js/releases/tag/v13.5.9 -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Mar. 28, 2025
Action Type Old Value New Value Added Reference https://security.netapp.com/advisory/ntap-20250328-0002/ -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Mar. 23, 2025
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2025/03/23/3 Added Reference http://www.openwall.com/lists/oss-security/2025/03/23/4 -
New CVE Received by [email protected]
Mar. 21, 2025
Action Type Old Value New Value Added Description Next.js is a React framework for building full-stack web applications. Prior to 14.2.25 and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 14.2.25 and 15.2.3. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Added CWE CWE-285 Added Reference https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-29927 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-29927
weaknesses.