Detections
Analytics

CVE-2025-29927

critical

Description

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.

References

https://thehackernews.com/2025/03/cisa-flags-two-six-year-old-sitecore.html

https://www.securityweek.com/critical-next-js-vulnerability-in-hacker-crosshairs/

https://www.akamai.com/blog/security-research/2025/mar/march-authorization-bypass-critical-nextjs-detections-mitigations

https://hackread.com/next-js-middleware-flaw-bypass-authorization/

https://www.bleepingcomputer.com/news/security/critical-flaw-in-nextjs-lets-hackers-bypass-authorization/

https://thehackernews.com/2025/03/critical-nextjs-vulnerability-allows.html

https://securityaffairs.com/175775/security/next-js-react-framework-critical-issue.html

https://cyberscoop.com/nextjs-critical-vulnerability-open-source-vercel/

https://nextjs.org/blog/cve-2025-29927

https://security.netapp.com/advisory/ntap-20250328-0002/

https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw

https://github.com/vercel/next.js/releases/tag/v13.5.9

https://github.com/vercel/next.js/releases/tag/v12.3.5

https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48

https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2

http://www.openwall.com/lists/oss-security/2025/03/23/4

http://www.openwall.com/lists/oss-security/2025/03/23/3

Details

Source: Mitre, NVD

Published: 2025-03-21

Updated: 2025-04-08

Named Vulnerability: The Shocking Next.js Middleware FlawNamed Vulnerability: Next.js Middleware VulnerabilityNamed Vulnerability: Next.js Middleware ExploitNamed Vulnerability: Next.js Middleware Bypass VulnerabilityNamed Vulnerability: Next.js Middleware Authorization Bypass FlawNamed Vulnerability: Next.js Middleware Authorization Bypass

Risk Information

CVSS v2

Base Score: 9.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

Severity: High

CVSS v3

Base Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Severity: Critical

EPSS

EPSS: 0.93156

Vulnerability Watch

Tenable Research has classified this CVE under the following Vulnerability Watch classification, which includes active and historical (inactive) classifications. You can learn more about these classifications on our blog.

Vulnerability of Interest