CVE-2025-29927: Next.js Middleware Authorization Bypass Flaw

March 27, 2025, 7:22 p.m.

Description

A critical vulnerability, CVE-2025-29927, with a CVSS score of 9.1 was disclosed on March 21, 2025. This flaw allows attackers to bypass authorization checks in Next.js Middleware, potentially granting unauthorized access to protected resources. The vulnerability affects applications using Middleware for user authorization, session data validation, route access control, redirections, and UI visibility management. The issue stems from how the runMiddleware function handles the x-middleware-subrequest header. Attackers can craft malicious headers to bypass middleware controls. Affected versions range from 11.1.4 to 15.2.3. Users are urged to update to patched versions or implement mitigation strategies to block external requests containing the vulnerable header.

External References

https://www.zscaler.com/blogs/security-research/cve-2025-29927-next-js-middleware-authorization-bypass-flaw
https://otx.alienvault.com/pulse/67e59d30fc2fe9b7ddaded28
Tags
vulnerability
CVE-2025-29927
2025-03-27
next.js
authorization bypass
javascript framework

Date

  • Created: March 27, 2025, 6:47 p.m.
  • Published: March 27, 2025, 6:47 p.m.
  • Modified: March 27, 2025, 7:22 p.m.

Attack Patterns

  • T1557
  • T1213
  • T1552
  • T1190
  • T1068

Linked vulnerabilities

CVE-2025-29927

9.1
    Vercel
  • Next.Js
Published: March 21, 2025