CVE-2025-29927
Published: 21 March 2025
Summary
CVE-2025-29927 is a critical-severity Improper Authorization (CWE-285) vulnerability in Vercel Next.Js. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely identification, reporting, and correction of flaws in Next.js directly prevents exploitation of the authorization bypass vulnerability by applying patches to fixed versions.
Boundary protection at external interfaces enables blocking of external requests containing the x-middleware-subrequest header, implementing the recommended workaround.
Validating HTTP input data including headers prevents processing of the x-middleware-subrequest header that bypasses middleware authorization checks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly enables remote exploitation of a public-facing Next.js web application to bypass middleware authorization checks (CWE-285/863), matching T1190 for initial access without credentials or user interaction.
NVD Description
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in…
more
middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Deeper analysisAI
CVE-2025-29927 is a high-severity vulnerability in Next.js, a React framework for building full-stack web applications. It allows attackers to bypass authorization checks when those checks are implemented in middleware. The issue affects Next.js versions starting from 1.11.4 and prior to the fixed releases of 12.3.5, 13.5.9, 14.2.25, and 15.2.3. The vulnerability is associated with CWE-285 (Improper Authorization) and CWE-863 (Incorrect Authorization), earning a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By including the x-middleware-subrequest header in an external request, attackers can evade middleware-based authorization logic, potentially accessing protected resources or performing unauthorized actions within the Next.js application. Successful exploitation leads to high impacts on confidentiality and integrity, such as exposing sensitive data or modifying application state.
The official Next.js security advisory (GHSA-f82v-jwr5-mffw) and associated patch commits recommend upgrading to fixed versions 12.3.5, 13.5.9, 14.2.25, or 15.2.3. As a workaround if patching is infeasible, block external user requests containing the x-middleware-subrequest header from reaching the Next.js application. Patch details are available in the relevant GitHub releases and commits.
Details
- CWE(s)