CVE-2025-29927

Published Mar 21, 2025

Last updated 13 hours ago

CVSS critical 9.1
React
Next.js

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2025-29927 is an authorization bypass vulnerability affecting Next.js, a React framework. It stems from the improper handling of the `x-middleware-subrequest` header. By exploiting this vulnerability, attackers can bypass authorization checks implemented in Next.js middleware. This flaw allows attackers to skip running the middleware, potentially allowing requests to bypass critical checks like authorization cookie validation before reaching routes. Self-hosted Next.js applications using Middleware are affected, specifically those relying on it for authentication or security checks. The vulnerability is fixed in Next.js versions 14.2.25 and 15.2.3.

Description
Next.js is a React framework for building full-stack web applications. Prior to 14.2.25 and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 14.2.25 and 15.2.3.
Source
security-advisories@github.com
NVD status
Received

Insights

Analysis from the Intruder Security Team
Published Mar 24, 2025 Updated Mar 24, 2025

This authentication bypass vulnerability in Next.js allows an attacker to bypass middleware validation steps such as checking the user is authorized to access a resource. The exploit is simple to use and could potentially be exploited en-masse, though some manual effort is likely to be required to identify routes that are not accessible without authentication.

The advisory states that deployments using next start and output: 'standalone' should be updated as a priority, and lists the affected versions.

Next.js is a full stack framework, and applications which are only using front-end elements of the framework will not be vulnerable. Additionally, popular WAFs like Cloudflare added detection rules for this exploit already, so there is also reduced risk for applications which are deployed behind a WAF with effective rules. However, WAFs should not be relied upon to protect against this weakness, as further research could reveal bypasses, or alternative routes to exploit the weakness.

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.1
Impact score
5.2
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Severity
CRITICAL

Weaknesses

security-advisories@github.com
CWE-285

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

99

  1. Next.js Middleware Authentication Bypass Vulnerability CVE-2025-29927 - Simplified With Demo 🕵️ I've created a comprehensive yet simple explanation of the critical Next.js middleware vulnerability that affects millions of apps 📖 https://t.co/A4t16mYiwf #NextJs #Vercel #React

    @yacine_kharoubi

    24 Mar 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-29927 ياعيب الشوم يا NextJs بثغره تهز مجاديفك، Bypassing Middleware عن طريق تمرير هيدر x-middleware-subrequest بقيم مكرره ٥ مرات مفصوله بـ: وبكذا قدرت تسوي تخطي https://t.co/YAtpu2v7Dq

    @ideltoon

    24 Mar 2025

    173 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    1 Reply

    0 Quotes

  3. 🚨 #CVE-2025-29927: Nextjs Middleware Authorization Bypass https://t.co/KU6WZbL1WL Educational Purposes!

    @UndercodeUpdate

    23 Mar 2025

    9 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  4. Next.jsのMiddlewareで認証している方はすぐに確認を!認可バイパス脆弱性(CVE-2025-29927)の解説と対策 https://t.co/5080ImYqaZ #Qiita

    @qiitapoi

    23 Mar 2025

    795 Impressions

    1 Retweet

    1 Like

    2 Bookmarks

    0 Replies

    0 Quotes

  5. 🚨 #CVE-2025-29927: Nextjs Middleware Authorization Bypass - Technical Analysis https://t.co/6NlqvUSiCP Educational Purposes!

    @UndercodeUpdate

    23 Mar 2025

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. Here’s a breakdown of CVE-2025-29927: Next.js Middleware Authorization Bypass. We’ve also added a Nuclei template for detecting this vulnerability, along with a lab where you can try it out for yourself. Check it out here: https://t.co/gcedFgmImS @pdnuclei https://t.co/F3AZ6WIP

    @princechaddha

    23 Mar 2025

    5532 Impressions

    31 Retweets

    107 Likes

    80 Bookmarks

    4 Replies

    0 Quotes

  7. Next.jsの脆弱性CVE-2025-29927まとめ|t3tra https://t.co/GVYavSvXOr #zenn

    @JUN_NETWORKS_JP

    23 Mar 2025

    137 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Anybody has Next.js - Middleware Bypass - CVE-2025-29927 POC or any related wri teup document anything??

    @Dedrknex

    23 Mar 2025

    46 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. Use Vulhub to reproduce Next.js Middleware Authorization Bypass (CVE-2025-29927) https://t.co/JytCIYSx7C First screenshot 👉 Unauthorized and direct to login page Second screenshot 👉 Bypass https://t.co/bttJqkroqY

    @phithon_xg

    23 Mar 2025

    6506 Impressions

    20 Retweets

    96 Likes

    56 Bookmarks

    4 Replies

    0 Quotes

  10. Next.js CVE-2025-29927: 9.1 CVSS auth bypass. Patch to 14.2.25/15.2.3 now! Self-hosted? Act fast. #Nextjs https://t.co/l8x4BG6wsJ

    @zohaibdev

    23 Mar 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. Next.js Middleware Exploit: CVE-2025-29927 Authorization Bypass https://t.co/E31jSxA9as

    @0vulns

    23 Mar 2025

    64 Impressions

    1 Retweet

    2 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  12. [1/6] Critical CVE alert - CVE-2025-29927. The Next.js team released a security advisory regarding a Critical-rated (CVSS 9.1) authorization bypass vulnerability. The vulnerability allows attackers to easily bypass authorization checks performed in Next.js middleware, potentially

    @JFrogSecurity

    23 Mar 2025

    705 Impressions

    2 Retweets

    6 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  13. nextjs 身份认证绕过漏洞CVE-2025-29927 顺便求职base杭州上海北京均可 https://t.co/9adOAnzrXm

    @ch35tnut_

    23 Mar 2025

    48 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  14. Alhamdolilah bypassed CVE-2025-29927 with curl! Huge thanks to @zhero___ and @inzo____ for their awesome research—flipped 307 to 200 like a pro ❤️😊 Jazakallah Brothers https://t.co/dfvIhRxaX4

    @wgujjer11

    23 Mar 2025

    91 Impressions

    0 Retweets

    9 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  15. 🚨 CVE-2025-29927 ⚠️🔴 CRITICAL (9.1) 🏢 vercel - next.js 🏗️ >= 11.1.4, <= 1 3.5.6 🔗 https://t.co/kQygQdgH36 #CyberCron #VulnAlert #InfoSec https://t.co/hyRofJq9IA

    @cybercronai

    23 Mar 2025

    229 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    1 Quote

  16. サークルの友達とProgateハッカソン参加しまして、AWS賞を頂戴しました!今度社食に招待いただけるらしい 受賞理由に「セキュリティ意識」が挙げられて嬉しかったです!セキュキャンの経験が生きて、CVE-2025-29927にもしっかり対応したのが評価されてとても嬉しかった…! チームメンバーありがと〜! https://t.co/Wzd16q2kOk

    @3_Jugem

    23 Mar 2025

    1669 Impressions

    1 Retweet

    44 Likes

    1 Bookmark

    2 Replies

    0 Quotes

  17. 📢 Critical patch for chatbot-ollama for nextjs CVE-2025-29927, NextJS updated to 14.2.25! I'm not actively maintaining this repo anymore, because I move to Open WebUI, but for simple experiments it is ok and still used out there. So in case update it! https://t.co/hqBErqK9Nb

    @ivanfioravanti

    23 Mar 2025

    1370 Impressions

    0 Retweets

    14 Likes

    4 Bookmarks

    2 Replies

    0 Quotes

  18. Here is how CVE-2025-29927 affects the apps ! I bypassed all middleware rules but adding x-middleware-subrequest header, here's the quick demo of how it works ! Targeted Version - 15.1.7 https://t.co/PC6ih6MbeJ

    @vineetwts

    23 Mar 2025

    2302 Impressions

    4 Retweets

    45 Likes

    25 Bookmarks

    3 Replies

    1 Quote

  19. 🚨 Critical Next.js vuln (CVE-2025-29927, CVSS 9.1) uncovered by @zhero___ & @inzo____. Middleware flaw allows unauthorized access. https://t.co/fbs0xIXegS

    @IntCyberDigest

    23 Mar 2025

    201 Impressions

    0 Retweets

    4 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  20. Next.jsの脆弱性CVE-2025-29927まとめ|t3tra https://t.co/wfrJ1tkGkP #zenn

    @yousukezan

    23 Mar 2025

    2461 Impressions

    5 Retweets

    28 Likes

    6 Bookmarks

    0 Replies

    1 Quote

  21. Next.jsの認可バイパス脆弱性(CVE-2025-29927)まとめ https://t.co/Bi9nDNGEAK

    @suin

    23 Mar 2025

    63567 Impressions

    83 Retweets

    447 Likes

    249 Bookmarks

    3 Replies

    19 Quotes

  22. #CVE-2025-29927 A real case: an old version of a very popular large-scale web application can bypass the access code? But it seems that it cannot be used directly. https://t.co/n4AQ9v7IFT

    @_r00tuser

    23 Mar 2025

    111 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. Regarding the CVE-2025-29927 patch! If not using Cloudflare or Vercel, you can block the "x-middleware-subrequest" header at the reverse proxy level. Nginx example below: https://t.co/2PSHN6vwlt

    @3nc0d3dGuY

    23 Mar 2025

    2103 Impressions

    4 Retweets

    29 Likes

    6 Bookmarks

    0 Replies

    0 Quotes

  24. Next.js dropped a CVSS 9.1 authentication bypass vulnerability (CVE-2025-29927) over the weekend. This flaw is trivially exploitable by sending the header `x-middleware-subrequest: true`. Over 300k hits in Shodan, find more at: https://t.co/ewMXHIWyzA

    @hdmoore

    23 Mar 2025

    11720 Impressions

    42 Retweets

    129 Likes

    51 Bookmarks

    1 Reply

    2 Quotes

  25. Critical Next.js Security Vulnerability: What You Need to Know About CVE-2025-29927 from @hashnode https://t.co/XFqsE9bg1r @nextjs

    @hopesneveE

    23 Mar 2025

    43 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  26. 🚨🚨 Critical Vulnerability Alert: CVE-2025-29927 (CVSS 9.8) – Next.js Middleware Authorization Bypass! ⚡ Vulnerability details: https://t.co/kWRTTo1ZwB 🔍 Overview: CVE-2025-29927 is a critical authorization bypass vulnerability in Next.js middleware. It allows https://t.co/SE

    @zoomeye_team

    23 Mar 2025

    2894 Impressions

    16 Retweets

    43 Likes

    13 Bookmarks

    1 Reply

    1 Quote

  27. 🚨🚨 Critical Vulnerability Alert: CVE-2025-29927 (CVSS 9.8) – Next.js Middleware Authorization Bypass! ⚡ Vulnerability details: https://t.co/kWRTTo1ZwB 🔍 Overview: CVE-2025-29927 is a critical authorization bypass vulnerability in Next.js middleware. It allows https://t.co/og

    @zoomeye_team

    23 Mar 2025

    101 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  28. Vercel 대응이 이해가지 않는다. Next.js 보안 취약점 알리는 글에서 굳이 자사 호스팅 제품을 홍보하네 글 제목: Protection against Next.js CVE-2025-29927 트위터 카드, URL slug: Vercel Firewall proactively protects against vulnerability with Middleware https://t.co/to58eIKTvq https://t.co/rClUfGwVb5

    @hyunbinseo97

    23 Mar 2025

    542 Impressions

    1 Retweet

    4 Likes

    2 Bookmarks

    1 Reply

    0 Quotes

  29. CVE-2025-29927 – Next.js #HackerNews https://t.co/ynJFlfZVIG https://t.co/wx1dm8sVPh

    @hackernewstop5

    22 Mar 2025

    71 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  30. the research paper is out: Next.js and the corrupt middleware: the authorizing artifact result of a collaboration with @inzo____ that led to CVE-2025-29927 (9.1-critical) https://t.co/GZkbnr6o9H enjoy the read! https://t.co/KyfY8a3suR

    @zhero___

    22 Mar 2025

    63959 Impressions

    294 Retweets

    1088 Likes

    531 Bookmarks

    55 Replies

    29 Quotes

  31. CVE-2025-29927 – Next.js https://t.co/ItSjyetVOB 4

    @cevaboyz

    22 Mar 2025

    31 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  32. CVE-2025-29927: Authorization Bypass in Next.js Middleware https://t.co/1mYz5GUlGL

    @_cvereports

    22 Mar 2025

    126 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    1 Quote

  33. Cloudflare does a lot of cool things, but a simple yet cool thing that happened today is they protected all their customers from a critical CVE in @nextjs 🛡️ CVE-2025-29927 allowed anyone to bypass Next.js authentication middleware. The latest versions of v14 and v15 are

    @_ashleypeacock

    22 Mar 2025

    39027 Impressions

    27 Retweets

    396 Likes

    95 Bookmarks

    7 Replies

    2 Quotes

  34. The timeline of CVE-2025-29927, a critical security vulnerability in @nextjs: - March 17: Fixes were committed to Next.js by Vercel staff - March 21: CVE is published (…)

    @eduardoboucas

    22 Mar 2025

    79758 Impressions

    21 Retweets

    314 Likes

    106 Bookmarks

    2 Replies

    3 Quotes

  35. CVE-2025-29927やばくね???

    @t3tra_x

    22 Mar 2025

    498 Impressions

    0 Retweets

    8 Likes

    0 Bookmarks

    2 Replies

    1 Quote

  36. CVE-2025-29927 represents a critical security risk for Next.js applications. Authorization Bypass in Next.js Middleware. https://t.co/o9vLDcni6a https://t.co/cV4YKocmD9 https://t.co/8QBJIM4UHD

    @thesuhu

    22 Mar 2025

    15704 Impressions

    62 Retweets

    229 Likes

    132 Bookmarks

    4 Replies

    5 Quotes

  37. Next@13以下でmiddleware内で認証行っているプロダクトはさっさと14以上に上げたほうが良さそう / Authorization Bypass in Next.js Middleware · CVE-2025-29927 · GitHub Advisory Database https://t.co/dW2B6Hy8eo

    @about_hiroppy

    22 Mar 2025

    4621 Impressions

    8 Retweets

    36 Likes

    13 Bookmarks

    0 Replies

    1 Quote

  38. Next.js Middleware Exploit: Deep Dive into CVE-2025-29927 Authorization Bypass https://t.co/Y9nuSSMy3e https://t.co/kFTFSk6trb

    @ZeroPathLabs

    22 Mar 2025

    30 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  39. [CVE-2025-29927: CRITICAL] 🔒 Stay secure! Update your Next.js to versions 14.2.25 or 15.2.3 to fix a vulnerability allowing bypassing authorization checks through middleware. #CyberSecurity#cybersecurity,#vulnerability https://t.co/YIK2dmzE5D https://t.co/dYgune8dLS

    @CveFindCom

    21 Mar 2025

    137 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  40. CVE-2025-29927 Next.js is a React framework for building full-stack web applications. Prior to 14.2.25 and 15.2.3, it is possible to bypass authorization checks within a Next.js app… https://t.co/EeFe1DcxWJ

    @CVEnew

    21 Mar 2025

    461 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

References