CVE-2025-29927
Bypass authorization checks vulnerability in next (npm)
What is CVE-2025-29927 About?
This vulnerability enables attackers to bypass authorization checks in Next.js applications, specifically if these checks occur within middleware. The flaw allows unauthorized access to protected resources. Patches are available across multiple Next.js versions, and a workaround involves preventing external requests with the `x-middleware-subrequest` header.
Affected Software
- next
- >15.0.0, <15.2.3
- >13.0.0, <13.5.9
- >11.1.4, <12.3.5
- >14.0.0, <14.2.25
Technical Details
The vulnerability allows for authorization bypass within Next.js applications when authorization checks are implemented within middleware. The exploit occurs because the presence of the x-middleware-subrequest header can alter how middleware processes requests, potentially causing it to skip or misinterpret authorization logic. An attacker can craft a request that includes this specific header, which then leads the middleware to fail in enforcing the intended authorization policies, thereby granting unauthorized access to resources or functionalities that should have been protected. This allows an attacker to access sensitive areas of the application without proper authentication or authorization credentials.
What is the Impact of CVE-2025-29927?
Successful exploitation may allow attackers to bypass intended security restrictions, gaining unauthorized access to sensitive data or functionality within the application.
What is the Exploitability of CVE-2025-29927?
Exploitation requires an attacker to send requests to a vulnerable Next.js application that contains the x-middleware-subrequest header. This is a remote attack that may not require prior authentication to the application, depending on where the middleware authorization check is positioned in the request flow. No special privileges are needed on the target system other than network access to the Next.js application. The complexity is relatively low, as it involves crafting a specific HTTP header. The existence of a proof-of-concept increases the likelihood of attack. Risk factors include Next.js applications that implement authorization solely or primarily within middleware without proper handling of the x-middleware-subrequest header.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| aydinnyunus | Link | CVE-2025-29927 Proof of Concept |
| AnonKryptiQuz | Link | NextSploit is a command-line tool designed to detect and exploit CVE-2025-29927, a security flaw in Next.js |
| websecnl | Link | Proof-of-Concept for Authorization Bypass in Next.js Middleware |
What are the Available Fixes for CVE-2025-29927?
Available Upgrade Options
- next
- >11.1.4, <12.3.5 → Upgrade to 12.3.5
- next
- >13.0.0, <13.5.9 → Upgrade to 13.5.9
- next
- >14.0.0, <14.2.25 → Upgrade to 14.2.25
- next
- >15.0.0, <15.2.3 → Upgrade to 15.2.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.openwall.com/lists/oss-security/2025/03/23/4
- http://www.openwall.com/lists/oss-security/2025/03/23/4
- https://osv.dev/vulnerability/GHSA-f82v-jwr5-mffw
- https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw
- https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw
- https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2
- https://nvd.nist.gov/vuln/detail/CVE-2025-29927
- https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2
- https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48
- https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48
What are Similar Vulnerabilities to CVE-2025-29927?
Similar Vulnerabilities: CVE-2023-44487 , CVE-2023-46080 , CVE-2023-45819 , CVE-2024-21010 , CVE-2023-49033
