CVE-2025-29927: Authorization Bypass in Next.js Middleware

9.1 CVSS

Description

Next.js is a React framework for building full-stack web applications. Prior to 14.2.25 and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 14.2.25 and 15.2.3.

Classification

CVE ID: CVE-2025-29927

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Problem Types

CWE-285: Improper Authorization

Affected Products

Vendor: vercel

Product: next.js

Nuclei Template

http/cves/2025/CVE-2025-29927.yaml

Exploit Prediction Scoring System (EPSS)

EPSS Score: 91.42% (probability of being exploited)

EPSS Percentile: 99.63% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-29927
https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw

Timeline

2025-03-21 15:40:15 UTC
CVE

Authorization Bypass in Next.js Middleware
2025-03-21 16:15:28 UTC
Github Advisory Database (NPM)

[next] Authorization Bypass in Next.js Middleware
2025-03-24 10:30:30 UTC
TheHackerNews

Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks
2025-03-25 15:15:29 UTC
Rapid7

Notable vulnerabilities in Next.js (CVE-2025-29927) and CrushFTP
2025-04-02 23:15:25 UTC
Github Advisory Database (NPM)

[next] Next.js may leak x-middleware-subrequest-id to external hosts