CVE-2025-29927
Published: 21 March 2025
Summary
CVE-2025-29927 is a critical-severity Improper Authorization (CWE-285) vulnerability in Vercel Next.Js. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Deeper analysis
Next.js, the React framework for full-stack web applications, contains an authorization bypass vulnerability in its middleware handling. The flaw affects all versions from 1.11.4 through 12.3.4, 13.5.8, 14.2.24, and 15.2.2, allowing requests to circumvent checks that would otherwise enforce access control when those checks are implemented inside middleware. The issue is tracked under CWE-285 and CWE-863 and carries a CVSS 9.1 rating reflecting network-exploitable impacts to confidentiality and integrity.
An unauthenticated remote attacker can exploit the weakness by supplying the x-middleware-subrequest header in an HTTP request, causing the middleware authorization logic to be skipped and granting access to resources or functionality that should have been protected. Because the bypass occurs before application-level controls run, the attacker can reach any endpoints whose security depended on middleware enforcement.
Official advisories and patches direct administrators to upgrade immediately to 12.3.5, 13.5.9, 14.2.25, or 15.2.3. When patching is not feasible, the recommended workaround is to block any external requests that contain the x-middleware-subrequest header before they reach the Next.js application; the referenced GitHub commits and security advisory GHSA-f82v-jwr5-mffw contain the precise changes and release artifacts.
The EPSS score currently stands at 0.9212 with a recorded peak of 0.9324, indicating sustained and substantial exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7243
Vulnerability details
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in…
more
middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly enables remote exploitation of a public-facing Next.js web application to bypass middleware authorization checks (CWE-285/863), matching T1190 for initial access without credentials or user interaction.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely identification, reporting, and correction of flaws in Next.js directly prevents exploitation of the authorization bypass vulnerability by applying patches to fixed versions.
Boundary protection at external interfaces enables blocking of external requests containing the x-middleware-subrequest header, implementing the recommended workaround.
Validating HTTP input data including headers prevents processing of the x-middleware-subrequest header that bypasses middleware authorization checks.