CVE-2025-29927

Authorization Bypass in Next.js Middleware

Severity Score

9.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

NVD
MITRE

Next.js is a React framework for building full-stack web applications. Prior to 14.2.25 and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 14.2.25 and 15.2.3.

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2025-03-12 CVE Reserved
2025-03-21 CVE Published
2025-03-22 First Exploit
2025-04-08 CVE Updated
2025-04-09 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-285: Improper Authorization

CAPEC

References (67)

URL	Tag	Source
https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw	X_refsource_confirm
https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2	X_refsource_misc
https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48	X_refsource_misc
https://github.com/vercel/next.js/releases/tag/v12.3.5	X_refsource_misc
https://github.com/vercel/next.js/releases/tag/v13.5.9	X_refsource_misc

URL	Date	SRC
https://packetstorm.news/files/id/189975	2025-03-24
https://packetstorm.news/files/id/190041	2025-03-26
https://packetstorm.news/files/id/190283	2025-04-07
https://www.exploit-db.com/exploits/52124	2025-04-05
https://github.com/serhalp/test-cve-2025-29927	2025-03-22
https://github.com/Ademking/CVE-2025-29927	2025-03-24
https://github.com/6mile/nextjs-CVE-2025-29927	2025-03-25
https://github.com/azu/nextjs-cve-2025-29927-poc	2025-03-25
https://github.com/lirantal/vulnerable-nextjs-14-CVE-2025-29927	2025-03-25
https://github.com/aydinnyunus/CVE-2025-29927	2025-03-26
https://github.com/ticofookfook/poc-nextjs-CVE-2025-29927	2025-03-23
https://github.com/t3tra-dev/cve-2025-29927-demo	2025-03-24
https://github.com/websecnl/CVE-2025-29927-PoC-Exploit	2025-03-25
https://github.com/MuhammadWaseem29/CVE-2025-29927-POC	2025-03-25
https://github.com/strobes-security/nextjs-vulnerable-app	2025-03-25
https://github.com/RoyCampos/CVE-2025-29927	2025-03-25
https://github.com/fourcube/nextjs-middleware-bypass-demo	2025-03-25
https://github.com/iSee857/CVE-2025-29927	2025-03-26
https://github.com/arvion-agent/next-CVE-2025-29927	2025-03-25
https://github.com/Oyst3r1ng/CVE-2025-29927	2025-03-25
https://github.com/lediusa/CVE-2025-29927	2025-03-24
https://github.com/lem0n817/CVE-2025-29927	2025-03-24
https://github.com/kuzushiki/CVE-2025-29927-test	2025-03-25
https://github.com/ricsirigu/CVE-2025-29927	2025-03-25
https://github.com/0xWhoknows/CVE-2025-29927	2025-03-24
https://github.com/tobiasGuta/CVE-2025-29927-POC	2025-03-24
https://github.com/elshaheedy/CVE-2025-29927-Sigma-Rule	2025-03-24
https://github.com/furmak331/CVE-2025-29927	2025-03-25
https://github.com/takumade/ghost-route	2025-03-25
https://github.com/0xPb1/Next.js-CVE-2025-29927	2025-03-25
https://github.com/jeymo092/cve-2025-29927	2025-03-25
https://github.com/alihussainzada/CVE-2025-29927-PoC	2025-03-25
https://github.com/TheresAFewConors/CVE-2025-29927-Testing	2025-03-25
https://github.com/0xPThree/next.js_cve-2025-29927	2025-03-25
https://github.com/0xcucumbersalad/cve-2025-29927	2025-03-25
https://github.com/c0dejump/CVE-2025-29927-check	2025-03-26
https://github.com/maronnjapan/claude-create-CVE-2025-29927	2025-03-25
https://github.com/kOaDT/poc-cve-2025-29927	2025-03-26
https://github.com/yugo-eliatrope/test-cve-2025-29927	2025-03-26
https://github.com/Eve-SatOrU/POC-CVE-2025-29927	2025-03-26
https://github.com/Slvignesh05/CVE-2025-29927	2025-03-26
https://github.com/gotcadumitru/test-cve-2025-29927	2025-03-26
https://github.com/aleongx/CVE-2025-29927	2025-03-26
https://github.com/nicknisi/next-attack	2025-03-26
https://github.com/jmbowes/NextSecureScan	2025-03-27
https://github.com/ferpalma21/Automated-Next.js-Security-Scanner-for-CVE-2025-29927	2025-03-27
https://github.com/Nekicj/CVE-2025-29927-exploit	2025-03-27
https://github.com/m2hcz/m2hcz-Next.js-security-flaw-CVE-2025-29927---PoC-exploit	2025-03-27
https://github.com/KaztoRay/CVE-2025-29927-Research	2025-03-27
https://github.com/nocomp/CVE-2025-29927-scanner	2025-03-27
https://github.com/yuzu-juice/CVE-2025-29927_demo	2025-03-28
https://github.com/0x0Luk/0xMiddleware	2025-03-28
https://github.com/AnonKryptiQuz/NextSploit	2025-03-30
https://github.com/w2hcorp/CVE-2025-29927-PoC	2025-03-29
https://github.com/dante01yoon/CVE-2025-29927	2025-03-30
https://github.com/ayato-shitomi/WebLab_CVE-2025-29927	2025-03-30
https://github.com/Kamal-418/Vulnerable-Lab-NextJS-CVE-2025-29927	2025-03-30
https://github.com/a9v8i/CVE-2025-29927	2025-04-01
https://github.com/alastair66/CVE-2025-29927	2025-04-01
https://github.com/BilalGns/CVE-2025-29927	2025-04-01
https://github.com/nyctophile0969/CVE-2025-29927	2025-04-01
https://github.com/Heimd411/CVE-2025-29927-PoC	2025-03-27

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Vercel Search vendor "Vercel"		Next.js Search vendor "Vercel" for product "Next.js"				>= 11.1.4 < 12.3.5 Search vendor "Vercel" for product "Next.js" and version " >= 11.1.4 < 12.3.5"		en		Affected
Vercel Search vendor "Vercel"		Next.js Search vendor "Vercel" for product "Next.js"				>= 14.0.0 < 14.2.25 Search vendor "Vercel" for product "Next.js" and version " >= 14.0.0 < 14.2.25"		en		Affected
Vercel Search vendor "Vercel"		Next.js Search vendor "Vercel" for product "Next.js"				>= 15.0.0 < 15.2.3 Search vendor "Vercel" for product "Next.js" and version " >= 15.0.0 < 15.2.3"		en		Affected
Vercel Search vendor "Vercel"		Next.js Search vendor "Vercel" for product "Next.js"				>= 13.0.0 < 13.5.9 Search vendor "Vercel" for product "Next.js" and version " >= 13.0.0 < 13.5.9"		en		Affected