CVE-2025-29927 (GCVE-0-2025-29927)

Vulnerability from cvelistv5 – Published: 2025-03-21 14:34 – Updated: 2025-04-08 15:17
VLAI KEVIntel
Title
Authorization Bypass in Next.js Middleware
Summary
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Severity
9.1 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
vercel next.js Affected: >= 11.1.4, < 12.3.5
Affected: >= 14.0.0, < 14.2.25
Affected: >= 15.0.0, < 15.2.3
Affected: >= 13.0.0, < 13.5.9
Create a notification for this product.
KEVIntel
Known Exploited Vulnerability - GCVE BCP-07 Compliant
KEV entry ID: e5ba35a8-add7-4344-82ed-bc8e197689b2

Vulnerability ID: CVE-2025-29927

Status: Confirmed

Status Updated: 2025-12-15 14:29 UTC

Exploited: Yes

Timestamps
First Seen: 2025-12-15
Asserted: 2025-12-15
Scope
Notes: KEVIntel entry: Authorization Bypass in Next.js Middleware | Affected: vercel / next.js | CVSS: 9.1 (CRITICAL) | Used in malware: unknown | Not yet in CISA KEV: True
Evidence

Type: Public Report

Signal: Successful Exploitation

Confidence: 70%

Source: kevintel

Details
Feed KEVIntel (kevintel.com)
Title Authorization Bypass in Next.js Middleware
Vendor vercel
Product next.js
Added Date 2025-12-15T14:29:13.422Z
Cvss Score 9.1
Epss Score None
Cvss Severity CRITICAL
Epss Percentile None
Used In Malware unknown
Ahead Of Cisa Kev None
Not Yet In Cisa Kev True
References
Created: 2026-06-19 12:42 UTC | Updated: 2026-06-19 12:42 UTC
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-29927",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-08T15:16:38.515188Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-08T15:17:05.315Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-03-28T15:03:09.597Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/03/23/3"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/03/23/4"
          },
          {
            "url": "https://security.netapp.com/advisory/ntap-20250328-0002/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "next.js",
          "vendor": "vercel",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 11.1.4, \u003c 12.3.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 14.0.0, \u003c 14.2.25"
            },
            {
              "status": "affected",
              "version": "\u003e= 15.0.0, \u003c 15.2.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 13.0.0, \u003c 13.5.9"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285: Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-08T13:59:00.478Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw"
        },
        {
          "name": "https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2"
        },
        {
          "name": "https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48"
        },
        {
          "name": "https://github.com/vercel/next.js/releases/tag/v12.3.5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vercel/next.js/releases/tag/v12.3.5"
        },
        {
          "name": "https://github.com/vercel/next.js/releases/tag/v13.5.9",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vercel/next.js/releases/tag/v13.5.9"
        }
      ],
      "source": {
        "advisory": "GHSA-f82v-jwr5-mffw",
        "discovery": "UNKNOWN"
      },
      "title": "Authorization Bypass in Next.js Middleware"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-29927",
    "datePublished": "2025-03-21T14:34:49.570Z",
    "dateReserved": "2025-03-12T13:42:22.136Z",
    "dateUpdated": "2025-04-08T15:17:05.315Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-29927",
      "date": "2026-06-30",
      "epss": "0.99621",
      "percentile": "0.99946"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-29927\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-03-21T15:15:42.660\",\"lastModified\":\"2026-06-17T09:05:53.640\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.\"},{\"lang\":\"es\",\"value\":\"Next.js es un framework de React para crear aplicaciones web full-stack. En versiones anteriores a la 14.2.25 y la 15.2.3, era posible omitir las comprobaciones de autorizaci\u00f3n dentro de una aplicaci\u00f3n Next.js si esta se realizaba en middleware. Si no es posible aplicar una versi\u00f3n segura, se recomienda evitar que las solicitudes de usuarios externos que contengan el encabezado \\\"x-middleware-subrequest\\\" lleguen a la aplicaci\u00f3n Next.js. Esta vulnerabilidad se corrigi\u00f3 en las versiones 14.2.25 y 15.2.3.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"vercel\",\"product\":\"next.js\",\"versions\":[{\"version\":\"\u003e= 11.1.4, \u003c 12.3.5\",\"status\":\"affected\"},{\"version\":\"\u003e= 14.0.0, \u003c 14.2.25\",\"status\":\"affected\"},{\"version\":\"\u003e= 15.0.0, \u003c 15.2.3\",\"status\":\"affected\"},{\"version\":\"\u003e= 13.0.0, \u003c 13.5.9\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2025-04-08T15:16:38.515188Z\",\"id\":\"CVE-2025-29927\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-285\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"11.1.4\",\"versionEndExcluding\":\"12.3.5\",\"matchCriteriaId\":\"6D275D05-70E5-49CA-BCFE-74B31DB3D8EF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"13.0.0\",\"versionEndExcluding\":\"13.5.9\",\"matchCriteriaId\":\"49731FD6-617A-42DE-9F95-A7F42809C32F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"14.0.0\",\"versionEndExcluding\":\"14.2.25\",\"matchCriteriaId\":\"5F836D0E-1580-40C6-93E5-6DB939E7BA86\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"15.0.0\",\"versionEndExcluding\":\"15.2.3\",\"matchCriteriaId\":\"E214D84F-7B55-4089-B1C4-9BF8B7AC7375\"}]}]}],\"references\":[{\"url\":\"https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/vercel/next.js/releases/tag/v12.3.5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/vercel/next.js/releases/tag/v13.5.9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2025/03/23/3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2025/03/23/4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20250328-0002/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2025/03/23/3\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2025/03/23/4\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20250328-0002/\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-03-28T15:03:09.597Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-29927\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-08T15:16:38.515188Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-21T15:17:22.967Z\"}}], \"cna\": {\"title\": \"Authorization Bypass in Next.js Middleware\", \"source\": {\"advisory\": \"GHSA-f82v-jwr5-mffw\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"vercel\", \"product\": \"next.js\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 11.1.4, \u003c 12.3.5\"}, {\"status\": \"affected\", \"version\": \"\u003e= 14.0.0, \u003c 14.2.25\"}, {\"status\": \"affected\", \"version\": \"\u003e= 15.0.0, \u003c 15.2.3\"}, {\"status\": \"affected\", \"version\": \"\u003e= 13.0.0, \u003c 13.5.9\"}]}], \"references\": [{\"url\": \"https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw\", \"name\": \"https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2\", \"name\": \"https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48\", \"name\": \"https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/vercel/next.js/releases/tag/v12.3.5\", \"name\": \"https://github.com/vercel/next.js/releases/tag/v12.3.5\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/vercel/next.js/releases/tag/v13.5.9\", \"name\": \"https://github.com/vercel/next.js/releases/tag/v13.5.9\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-285\", \"description\": \"CWE-285: Improper Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-04-08T13:59:00.478Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-29927\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-08T15:17:05.315Z\", \"dateReserved\": \"2025-03-12T13:42:22.136Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-03-21T14:34:49.570Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.