CVE-2025-29927: Authorization Bypass in Next.js Middleware
First published: Fri Mar 21 2025(Updated: )
# Impact It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. # Patches * For Next.js 15.x, this issue is fixed in `15.2.3` * For Next.js 14.x, this issue is fixed in `14.2.25` * For Next.js 13.x, this issue is fixed in `13.5.9` * For Next.js 12.x, this issue is fixed in `12.3.5` * For Next.js 11.x, consult the below workaround. _Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability._ # Workaround If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the `x-middleware-subrequest` header from reaching your Next.js application. ## Credits - Allam Rachid (zhero;) - Allam Yasser (inzo_)
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Vercel | <14.2.25<15.2.3 | |
| npm/next | >=11.1.4<12.3.5 | 12.3.5 |
| npm/next | >=15.0.0<15.2.3 | 15.2.3 |
| npm/next | >=14.0.0<14.2.25 | 14.2.25 |
| npm/next | >=13.0.0<13.5.9 | 13.5.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.bleepingcomputer.com/news/security/critical-flaw-in-nextjs-lets-hackers-bypass-authorization/
- https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw
- http://www.openwall.com/lists/oss-security/2025/03/23/3
- http://www.openwall.com/lists/oss-security/2025/03/23/4
- https://security.netapp.com/advisory/ntap-20250328-0002/
- https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2
- https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48
- https://nvd.nist.gov/vuln/detail/CVE-2025-29927
- https://github.com/vercel/next.js/releases/tag/v12.3.5
- https://github.com/vercel/next.js/releases/tag/v13.5.9
- https://vercel.com/changelog/vercel-firewall-proactively-protects-against-vulnerability-with-middleware
- https://security.netapp.com/advisory/ntap-20250328-0002
- https://github.com/advisories/GHSA-f82v-jwr5-mffw (Advisory)
Frequently Asked Questions
What is the severity of CVE-2025-29927?
CVE-2025-29927 has been classified as a high severity vulnerability due to the potential for unauthorized access in Next.js applications.
How do I fix CVE-2025-29927?
To fix CVE-2025-29927, update to Next.js version 14.2.25 or 15.2.3 or later.
What versions of Next.js are affected by CVE-2025-29927?
CVE-2025-29927 affects Next.js versions prior to 14.2.25 and 15.2.3.
What does CVE-2025-29927 allow an attacker to do?
CVE-2025-29927 allows attackers to bypass authorization checks in Next.js applications when these checks are performed in middleware.
Are there any workarounds for CVE-2025-29927 if I cannot update?
If updating is not possible, implementing additional server-side checks for authorization in app logic can serve as a temporary workaround for CVE-2025-29927.
- agent/title
- agent/weakness
- agent/first-publish-date
- agent/type
- agent/guess-ai
- agent/software-canonical-lookup
- agent/author
- collector/oss-sec
- source/oss-sec
- alias/CVE-2025-29927
- agent/softwarecombine
- agent/description
- collector/bleeping-computer
- source/BleepingComputer
- agent/source
- agent/news-ai
- zeroday/true
- agent/severity
- collector/nvd-api
- source/NVD
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-f82v-jwr5-mffw
- agent/last-modified-date
- agent/references
- collector/mitre-cve
- source/MITRE
- collector/nvd-cve
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/exploited
- exploited/true
- proof-of-concept/true
- agent/trending
- agent/tags
- agent/event
- collector/github-advisory
- vendor/vercel
- canonical/vercel
- package-manager/npm