CVE-2025-29927 CRITICAL

CVE-2025-29927: Authorization Bypass in Next.js Middleware

Vendor Vercel
Product next.js
Weakness CWE-285
Published March 21, 2025
Last update April 8, 2025
View on NVD All CVEs

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.

Key dates

02Disclosure timeline

March 21, 2025 CVE published
April 8, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-2077 yeqifu warehouse Role Management RoleController.java deleteRole improper authorization CVE-2025-6525 70mai 1S Configuration Config.cgi improper authorization CVE-2025-4104 Frontend Dashboard 1.0 - 2.2.6 - Missing Authorization to Unauthenticated Privilege Escalation via fed_wp_ajax_fed_login_form_post Function CVE-2025-30373 Graylog Authenticated HTTP inputs do ingest message even if Authorization header is missing or has wrong value CVE-2025-7947 jshERP Account delete improper authorization