CVE-2025-29927
Published: 21 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-29927 is a high-severity vulnerability in Next.js, a React framework for building full-stack web applications. It allows attackers to bypass authorization checks when those checks are implemented in middleware. The issue affects Next.js versions starting from 1.11.4 and prior to the fixed releases of 12.3.5, 13.5.9, 14.2.25, and 15.2.3. The vulnerability is associated with CWE-285 (Improper Authorization) and CWE-863 (Incorrect Authorization), earning a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By including the x-middleware-subrequest header in an external request, attackers can evade middleware-based authorization logic, potentially accessing protected resources or performing unauthorized actions within the Next.js application. Successful exploitation leads to high impacts on confidentiality and integrity, such as exposing sensitive data or modifying application state.
The official Next.js security advisory (GHSA-f82v-jwr5-mffw) and associated patch commits recommend upgrading to fixed versions 12.3.5, 13.5.9, 14.2.25, or 15.2.3. As a workaround if patching is infeasible, block external user requests containing the x-middleware-subrequest header from reaching the Next.js application. Patch details are available in the relevant GitHub releases and commits.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability directly enables remote exploitation of a public-facing Next.js web application to bypass middleware authorization checks (CWE-285/863), matching T1190 for initial access without credentials or user interaction.