Cyber Resilience

CVE-2025-29927

Critical

Published: 21 March 2025

Published
21 March 2025
Modified
10 September 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.9212 99.7th percentile
Risk Priority 73 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-29927 is a critical-severity Improper Authorization (CWE-285) vulnerability in Vercel Next.Js. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

Next.js, the React framework for full-stack web applications, contains an authorization bypass vulnerability in its middleware handling. The flaw affects all versions from 1.11.4 through 12.3.4, 13.5.8, 14.2.24, and 15.2.2, allowing requests to circumvent checks that would otherwise enforce access control when those checks are implemented inside middleware. The issue is tracked under CWE-285 and CWE-863 and carries a CVSS 9.1 rating reflecting network-exploitable impacts to confidentiality and integrity.

An unauthenticated remote attacker can exploit the weakness by supplying the x-middleware-subrequest header in an HTTP request, causing the middleware authorization logic to be skipped and granting access to resources or functionality that should have been protected. Because the bypass occurs before application-level controls run, the attacker can reach any endpoints whose security depended on middleware enforcement.

Official advisories and patches direct administrators to upgrade immediately to 12.3.5, 13.5.9, 14.2.25, or 15.2.3. When patching is not feasible, the recommended workaround is to block any external requests that contain the x-middleware-subrequest header before they reach the Next.js application; the referenced GitHub commits and security advisory GHSA-f82v-jwr5-mffw contain the precise changes and release artifacts.

The EPSS score currently stands at 0.9212 with a recorded peak of 0.9324, indicating sustained and substantial exploitation interest since disclosure.

EU & UK References

Vulnerability details

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in…

more

middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability directly enables remote exploitation of a public-facing Next.js web application to bypass middleware authorization checks (CWE-285/863), matching T1190 for initial access without credentials or user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-44573Same product: Vercel Next.Js
CVE-2026-45109Same product: Vercel Next.Js
CVE-2026-44574Same product: Vercel Next.Js
CVE-2026-44578Same product: Vercel Next.Js
CVE-2026-44575Same product: Vercel Next.Js
CVE-2025-57822Same product: Vercel Next.Js
CVE-2025-59472Same product: Vercel Next.Js
CVE-2025-59471Same product: Vercel Next.Js
CVE-2026-27980Same product: Vercel Next.Js
CVE-2026-27979Same product: Vercel Next.Js

Affected Assets

vercel
next.js
11.1.4 — 12.3.5 · 13.0.0 — 13.5.9 · 14.0.0 — 14.2.25

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely identification, reporting, and correction of flaws in Next.js directly prevents exploitation of the authorization bypass vulnerability by applying patches to fixed versions.

prevent

Boundary protection at external interfaces enables blocking of external requests containing the x-middleware-subrequest header, implementing the recommended workaround.

prevent

Validating HTTP input data including headers prevents processing of the x-middleware-subrequest header that bypasses middleware authorization checks.

References