CVE-2025-29927

Published Mar 21, 2025

Last updated 6 days ago

CVSS critical 9.1
React
Next.js

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-29927 is an authorization bypass vulnerability affecting Next.js, a React framework. It stems from the improper handling of the `x-middleware-subrequest` header. By exploiting this vulnerability, attackers can bypass authorization checks implemented in Next.js middleware. This flaw allows attackers to skip running the middleware, potentially allowing requests to bypass critical checks like authorization cookie validation before reaching routes. Self-hosted Next.js applications using Middleware are affected, specifically those relying on it for authentication or security checks. The vulnerability is fixed in Next.js versions 14.2.25 and 15.2.3.

Description
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Source
security-advisories@github.com
NVD status
Analyzed
Products
next.js

Insights

Analysis from the Intruder Security Team
Published Mar 24, 2025 Updated Mar 24, 2025

This authentication bypass vulnerability in Next.js allows an attacker to bypass middleware validation steps such as checking the user is authorized to access a resource. The exploit is simple to use and could potentially be exploited en-masse, though some manual effort is likely to be required to identify routes that are not accessible without authentication.

The advisory states that deployments using next start and output: 'standalone' should be updated as a priority, and lists the affected versions.

Next.js is a full stack framework, and applications which are only using front-end elements of the framework will not be vulnerable. Additionally, popular WAFs like Cloudflare added detection rules for this exploit already, so there is also reduced risk for applications which are deployed behind a WAF with effective rules. However, WAFs should not be relied upon to protect against this weakness, as further research could reveal bypasses, or alternative routes to exploit the weakness.

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.1
Impact score
5.2
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Severity
CRITICAL

Weaknesses

security-advisories@github.com
CWE-285
nvd@nist.gov
CWE-863

Social media

Hype score
Not currently trending

  1. 🚨 ¡Nuevo vídeo ya disponible! 📽️ Explotando el CVE-2025-29927 paso a paso 🧠 Middleware vulnerable → PoC funcional → ejecución real ✅ Detectar versión vulnerable ✅ Analizar el flujo ✅ Construir PoC ✅ Explotación práctica 📺 https://t.co/Noy9UEmXIo

    @gorkaelbochi

    16 Sept 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 💡 ⚒️ ✏️  Ghost-Route - Ghost Route Detects If A Next JS Site Is Vulnerable To The Corrupt Middleware Bypass Bug (CVE-2025-29927) https://t.co/cDC5TeXhMw

    @pedri77

    15 Sept 2025

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 Este martes 16 a las 20:00 subo vídeo: Explotación paso a paso del CVE-2025-29927 🧠 ¿El objetivo? Un middleware vulnerable. Verás: ✅ Qué es middleware ✅ Cómo detectar la versión vulnerable ✅ Cómo explotarlo (real) 💥 Sin teoría. Todo práctico. 💞 ht

    @gorkaelbochi

    15 Sept 2025

    52 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. I just completed Next.js: CVE-2025-29927 room on TryHackMe. Explore an authorisation bypass vulnerability in Next.js. https://t.co/3sLnz8REQ3 #tryhackme via @realtryhackme

    @vinnykosgeii

    13 Sept 2025

    62 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  5. 🚨 Next.js CVE-2025-29927 – Authentication Bypass Explained 🔎 What Happened? A critical vulnerability in Next.js middleware (CVE-2025-29927, CVSS 9.1) allows attackers to bypass authentication and authorization checks. The root cause: improper trust of an internal header

    @AnonOzzyDude

    8 Sept 2025

    55 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 🚨 Unmasking #CVE-2025-29927: The Nextjs Framework Flaw Every Hunter Must Understand https://t.co/ReHVZzwlgw Educational Purposes!

    @UndercodeUpdate

    7 Sept 2025

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. Next.jsフレームワークに新たに発見された重大な脆弱性CVE-2025-29927は、 認可機構を完全に回避できる恐れがあり、Webアプリケーションに深刻な影響を及ぼす可能性がある。 問題はx-middleware-subrequestヘッダの不適

    @yousukezan

    1 Sept 2025

    1947 Impressions

    6 Retweets

    15 Likes

    7 Bookmarks

    0 Replies

    0 Quotes

  8. VIDEO POC CVE-2025-29927 https://t.co/hyIIbdPgCe

    @h4x0r_fr34k

    1 Sept 2025

    733 Impressions

    3 Retweets

    26 Likes

    7 Bookmarks

    0 Replies

    0 Quotes

  9. CVE-2025-29927: Next.js Middleware Authorization Bypass https://t.co/3F4JkIEfkt #news

    @packet_storm

    1 Sept 2025

    460 Impressions

    2 Retweets

    2 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  10. 【Next.js重大脆弱性で認証バイパス】Next.jsフレームワークに重大な脆弱性CVE-2025-29927が発見され、攻撃者がx-middleware-subrequestヘッダーの不適切な処理を悪用してミドルウェアベースの認証チェックを完全にバイ

    @nakajimeeee

    1 Sept 2025

    482 Impressions

    0 Retweets

    2 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  11. 🚨 CVE-2025-29927 – Next.js Middleware Bypass A deep technical dive into how x-middleware-subrequest can be exploited to bypass auth checks in Next.js apps. Read the full write-up here 👇 https://t.co/aW3qQjK5oO #NextJS #CVE2025 #WebSecurity #Pentesting #Hacking #BugBoun

    @NullSecurityX

    31 Aug 2025

    2339 Impressions

    10 Retweets

    67 Likes

    36 Bookmarks

    2 Replies

    1 Quote

  12. New YouTube video 😸🔥 🐧Extract | TryHackMe | CVE-2025-29927 | SSRF😸🛸 🐧 TryHackMe Extract Video link in first comment: ⤵️⤵️⤵️🦜🦜🦜 https://t.co/MM57CQhWfT

    @DjalilAyed

    25 Aug 2025

    626 Impressions

    0 Retweets

    4 Likes

    2 Bookmarks

    1 Reply

    0 Quotes

  13. ⚠️ Weekly vuln radar. https://t.co/Cd6L8ACyLV – spot what’s trending before it’s everywhere: CVE-2025-29927 CVE-2025-43300 CVE-2025-57788 (@chudyPB, Sonny) CVE-2025-9132 (@GoogleDeepMind) CVE-2025-9074 CVE-2025-57790 CVE-2025-57789 CVE-2025-57791 CVE-2024-41787

    @ptdbugs

    22 Aug 2025

    127 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. CVE-2025-29927 Exploitation : X-Nextjs-Data: 1 X-Middleware-Subrequest: src/middleware:nowaf:src/middleware:src/middleware:src/middleware:src/middleware:middleware:middleware:nowaf:middleware:middleware:middleware:pages/_middleware https://t.co/yMOPQxUFiP

    @h4x0r_fr34k

    21 Aug 2025

    9684 Impressions

    57 Retweets

    246 Likes

    162 Bookmarks

    1 Reply

    0 Quotes

  15. In March, @vercel faced intense criticism for a critical 9.1-rated vulnerability (CVE-2025-29927) in Next.js middleware, with many accusing the company of slow disclosure and poor communication with customers. Competing tech CEOs publicly called out Vercel’s handling of the iss

    @growwithever

    12 Aug 2025

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. (🧵Thread) 🔎 In this week’s Threat Alert Newsletter: CVE-2025-29927, an authentication bypass in Next.js is drawing fresh attention from attackers. CrowdSec CTI has observed a sharp uptick in exploitation attempts across our global network. We break down why this 3-month-

    @Crowd_Security

    4 Aug 2025

    303 Impressions

    0 Retweets

    2 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  17. PoC CVE-2025-29927: Middleware Bypass + RCE in Next.js | Python Exploit | Bug Hunters & Ethical Hacking. Link to the video on YouTube, please subscribe. https://t.co/QBotfpZyMd https://t.co/ROW4tOJC6E

    @Z3R0NYX

    28 Jul 2025

    160 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. [CRITICAL] #CVE-2025-29927 A #vulnerability in Next.js web apps allowing an attacker to bypass authorization checks by spoofing the internal x-middleware-subrequest HTTP header. • Is it Exploitable? Yes! More: Recommended upgrade & additional workaround https://t.co/VWmAsH

    @jed_security_

    18 Jul 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  19. #LSPPDay45 🧠Pwned NeuroSync-D Sherlock! Emulated a full attack chain on a vulnerable web server exploiting CVE-2025-29927, then flipped to blue team mode to analyze logs and trace the intrusion.https://t.co/DA3uCjPOth #60DaysOfLearning2025 #LearningWithLeapfrog @lftechnology

    @imsushxnt

    15 Jul 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. 🚨Alert📷<📷x; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;"> CVE-2025-29927: Next.js Middleware Bypass Vulnerability 📷Hunter Link:https://t.co/pxrkIDWqaK… 📷Query HUNTER : ="Next.js" FOFA : product="NEXT.JS" SHODAN : Next

    @hir0k1sawada

    22 Jun 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. 🚨Alert📷 CVE-2025-29927: Next.js Middleware Bypass Vulnerability 📷 9.5M+ Services are found on the yearly. 📷Hunter Link:https://t.co/pxrkIDWqaK 📷Query HUNTER : https://t.co/eaT5Y5MzzK="Next.js" FOFA : product="NEXT.JS" SHODAN : Next.js 👇

    @hir0k1sawada

    22 Jun 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  22. "Critical Next.js Middleware Bypass Affects Popular AI Apps (CVE-2025-29927)" by Sharon #DEVCommunity #ai #bypass #vulnerabilities #cybersecurity https://t.co/IsK1vq35m0

    @Sharon18866

    16 Jun 2025

    103 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. 🚨 A critical vulnerability (CVE-2025-29927) in Next.js allows attackers to bypass middleware logic, risking authentication and security in popular AI apps. Upgrade to patched versions 14.2.25 or 15.2.3 to stay safe! 🛡️ #Nextjs #Cybersecurity @SharonTech https://t.co/wjHOJ

    @prod42net

    16 Jun 2025

    41 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  24. "CVE-2025-29927: How a Header Bypass in Next.js Broke Auth for Some AI Apps" by Sharon #DEVCommunity #cybersecurity #webdev #beginners https://t.co/6qvfRreScu

    @Sharon18866

    10 Jun 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  25. CVE-2025-29927: How a Header Bypass in Broke Auth for Some AI Apps https://t.co/0uukfRSdvX

    @MatthewThomz

    10 Jun 2025

    36 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  26. 🚨 A critical flaw in Next.js (CVE-2025-29927) allows attackers to bypass authentication in AI apps by spoofing a header. Upgrade to patched versions immediately to secure your routes! Stay vigilant with your headers! #NextJS #CyberSecurity #AIApps @Sharon https://t.co/CZargMeo

    @prod42net

    10 Jun 2025

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  27. Just published a writeup on CVE-2025-29927, a serious Next.js authentication bypass caused by improper handling of middleware header. Covered the basics, the vulnerability, and walked through a real lab to demonstrate the impact. Check it out! https://t.co/CRuDF5VBfp

    @vikramhere200

    20 May 2025

    53 Impressions

    1 Retweet

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  28. 🚨 CVE-2025-29927: Next.js Middleware Authorization Bypass A critical flaw in Next.js allows attackers to spoof the x-middleware-subrequest header, bypassing middleware, including auth checks, and accessing protected routes.

    @ali_sher_shahid

    8 May 2025

    8 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  29. Impact : It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. CVE-ID : CVE-2025-29927 Weakness : CWE-285 ( Improper Authorization ) Credits : - Allam Rachid (zhero;) - Allam Yasser (inzo_) https://t.co/7Rm

    @40sp3l

    7 May 2025

    3363 Impressions

    10 Retweets

    134 Likes

    64 Bookmarks

    2 Replies

    0 Quotes

  30. CVE-2025-29927: Next.js Middleware Authorization Bypass https://t.co/qXHAOwHp22

    @Info2sec_Torii

    5 May 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  31. CVE-2025-29927: #Next.js #Middleware #Authorization_Bypass https://t.co/QkyPAGAuaz https://t.co/2UXSqdnoDi

    @omvapt

    2 May 2025

    31 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  32. Security matters, especially when it impacts your production apps. This post breaks down CVE-2025-29927 in Next.js: what it is, what’s at risk, and what steps to take. We walk through the impact with precision, so you can act fast and stay secure: https://t.co/DR1Xw6wmHq 🔐

    @upsuncom

    2 May 2025

    30 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  33. Proof-of-Concept Exploit: Next.js Middleware (CVE-2025-29927) Credit: https://t.co/WEAd19KCE9 https://t.co/NxyiCLjVqR

    @DarkWebInformer

    1 May 2025

    22151 Impressions

    68 Retweets

    432 Likes

    275 Bookmarks

    3 Replies

    0 Quotes

  34. 🚨 CVE-2025-29927: Next.js Middleware Authorization Bypass A critical flaw in Next.js allows attackers to spoof the x-middleware-subrequest header, bypassing middleware, including auth checks, and accessing protected routes. 📍 CVSS: 9.1 🛡️ Impact: Auth bypass, privile

    @offsectraining

    1 May 2025

    4148 Impressions

    11 Retweets

    59 Likes

    10 Bookmarks

    1 Reply

    0 Quotes

  35. Doing the Due Diligence: Analyzing the Next.js Middleware Bypass (CVE-2025-29927) #Next.jsVulnerability #MiddlewareBypass #CVE202529927 #SecurityResearch #DueDiligence https://t.co/lKIO3lROJU

    @reverseame

    28 Apr 2025

    1590 Impressions

    6 Retweets

    26 Likes

    5 Bookmarks

    2 Replies

    0 Quotes

  36. Lessons from CVE-2025-29927 (Next.js auth bypass) When a major web framework springs a leak, what can we learn? 🤔 No One’s Invincible, Speed Matters & Defence in Depth Read our latest article here: https://t.co/W9dpluv4pT #AppSec #VulnerabilityManagement #ApolloSec

    @ApolloSec110629

    26 Apr 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  37. Threat Alert: Ghost-Route - Ghost Route Detects If A Next JS Site Is Vulnerable To The Corrupt CVE-2025-29927 Severity: ⚠️ Critical Maturity: 💥 Mainstream Learn more: https://t.co/IY5h7vrAEU #CyberSecurity #ThreatIntel #InfoSec (1/3)

    @fletch_ai

    23 Apr 2025

    55 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    2 Replies

    0 Quotes

  38. Hey, did you hear about the Next.js flaw (CVE-2025-29927)? Attackers can sneak in using a fake "x-middleware-subrequest" header! Like a wolf in sheep's clothing! Patch ASAP! https://t.co/B0GSmAwGH0

    @fin_tech_news_

    22 Apr 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  39. Ready to tackle another legendary CVE? 🔍 Just added to Hackviser Labs: A hands-on lab for Next.js Middleware Authorization Bypass (CVE-2025-29927)! 🚀 Perfect for security professionals and enthusiasts looking to understand and practice with real-world vulnerabilities 💪 Try

    @hackviserr

    22 Apr 2025

    178 Impressions

    4 Retweets

    10 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  40. Critical vulnerability CVE-2025-29927 in Next.js allows unauthorized access via middleware. Affects versions before 12.3.5, 13.5.9, 14.2.25, and 15.2.3. Stay updated! 🚨 #NextJS #DataProtection #USA link: https://t.co/uhndwFlyYo https://t.co/legkeFgEKk

    @TweetThreatNews

    21 Apr 2025

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  41. 💥 FLASH NOTICE 💥 CVE-2025-29927 is a #criticalvulnerability discovered in Next.js, and allows attackers to bypass authorization checks enforced in #middleware. For full details & mitigation recommendations, view the notice here: https://t.co/CKXuyiLIlj https://t.co/2tPQH19

    @Avertium

    18 Apr 2025

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  42. Next.js Middleware Auth Bypass (CVE-2025-29927) and Local File Read via XXE - HackDonalds Challenge https://t.co/z3hCTQTQw2 @intigriti

    @tbbhunter

    17 Apr 2025

    4743 Impressions

    8 Retweets

    36 Likes

    16 Bookmarks

    0 Replies

    1 Quote

  43. A critical vulnerability (CVE-2025-29927) in the Next.js framework that could expose sensitive data has been discovered. Read advise from the NCSC: https://t.co/QG1cDJkLHb Check out the NCSC advisory and take action to secure your apps. #CyberSecurity #NextJS #WebDevelopment

    @DigitalXRAID

    15 Apr 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  44. 🚨ثغرة #CVE-2025-29927 لتجاوز مصادقة Next.js Middleware! ☑️الخطر: الوصول غير المصرح به إلى الموارد المحمية ☑️الإصدارات المهددة: 14.2.25 ومادون ☑️بحث https://t.co/gKKiwWrA0u ب : "X Powered By: Next.js" ☑️الحل: تحديث الإصدار و #ASM https://t.co/OAmmhkjFrj https://t.co/rQTTMorqJV

    @CriminalIP_AR

    15 Apr 2025

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  45. Next.js Middlewareの認証バイパス脆弱性「#CVE-2025-29927」 ☑️影響:保護されたリソースへの不正アクセス ☑️脆弱版:14.2.25未満 ☑️修正版:12.3.5、13.5.9、14.2.25、15.2.3 ☑️https://t.co/IVizkfqat2 のクエリ:"X Powered By: Next.js" ☑️対策:バージョンアップ & #ASM https://t.co/nOMNodXyZC https://t.co/pXo7WPGgEc

    @CriminalIP_JP

    15 Apr 2025

    30 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  46. 🚨Next.js 미들웨어 인증 우회 취약점 #CVE-2025-29927! ☑️영향: 보호된 리소스에 비인가 접근 ☑️취약 버전: 14.2.25 미만 ☑️수정 버전: 12.3.5, 13.5.9, 14.2.25, 15.2.3 ☑️https://t.co/ZdemHmQb5V 탐지 쿼리: "X Powered By: Next.js" ☑️조치: 버전 업데이트 & #ASM Blog: https://t.co/NcJ1dmn6PR https://t.co/SgpUNJ7hwq

    @CriminalIP_KR

    15 Apr 2025

    79 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  47. HackerNotes TLDR for episode 118! Link for the post with all references below. ►⠀Next.js Middleware Bypass (CVE-2025-29927): The Searchlight Cyber (AssetNote) team has done another deep dive on the Next.JS middleware bypass, giving us some extra payloads to play around with.

    @ctbbpodcast

    14 Apr 2025

    2309 Impressions

    3 Retweets

    43 Likes

    17 Bookmarks

    0 Replies

    0 Quotes

  48. Read about observed attack traffic, detections, and mitigations for an authorization bypass vulnerability in Next.js (CVE-2025-29927). Learn more. @Akamai #AkamaiSecurity https://t.co/4SGK2EGtg4 https://t.co/zPEmNMGoNt

    @Yanivzadok

    13 Apr 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  49. 🚨 New Arena Lab Dropped! Middleman (CVE-2025-29927) is now live on Parrot CTFs! 💥 Learn how to exploit a middleware authentication bypass in Next.js and gain access to protected routes. 🔓 Easy difficulty – perfect for sharpening your web exploitation skills! 🏆 Earn 10 https

    @parrot_ctfs

    11 Apr 2025

    110 Impressions

    2 Retweets

    8 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  50. NextJS Vulnerability Alert: CVE-2025-29927 A new auth bypass bug has hit Next.js — are your apps safe? 🔐 Dive into the full breakdown: 🔗 https://t.co/c3CkACGdjb #ParrotCTFs https://t.co/iJ0iQYmGfp

    @parrot_ctfs

    10 Apr 2025

    82 Impressions

    2 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

References

Sources include official advisories and independent security research.