Next.js: Next.js authorization bypass (CVE-2025-29927) #shorts

Summary

In today's podcast, we delve into the recently discovered CVE-2025-29927, a critical vulnerability affecting Next.js, a popular React framework for building full-stack web applications.

Product details

Next.js is widely used by developers for creating dynamic web applications. The framework offers powerful tools for server-side rendering, static site generation, and more. However, a new vulnerability has put applications built on Next.js, particularly versions up to 14.2.24 and 15.2.2, at risk.

Vulnerability type summary

The vulnerability is categorized under CWE-285: Improper Authorization. This means that it's possible to bypass certain authorization checks, potentially granting unauthorized users elevated privileges.

Details of the vulnerability

The CVE-2025-29927 vulnerability is due to an issue in the Next.js middleware where authorization checks can be bypassed. This exploit involves the x-middleware-subrequest header, allowing an attacker to escalate privileges in the affected application. The susceptible versions of Next.js are those prior to 14.2.25 and 15.2.3. For users unable to update, it is recommended to block external requests containing the x-middleware-subrequest header.

Conclusion

This vulnerability highlights the critical importance of maintaining up-to-date software and vigilance against potential exploits. If you're using Next.js, ensure you're on version 14.2.25 or 15.2.3 and above to protect your applications. Stay tuned for more updates and always prioritize securing your web infrastructure.

Watch the full video on YouTube: CVE-2025-29927

Remediation and exploitation details

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2025-29927
Description
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Provider
GitHub_M
CWE / problem types
CWE-285: Improper Authorization
Affected Software Versions
vercel:next.js:[{'version': '>= 11.1.4, < 12.3.5', 'status': 'affected'}, {'version': '>= 14.0.0, < 14.2.25', 'status': 'affected'}, {'version': '>= 15.0.0, < 15.2.3', 'status': 'affected'}, {'version': '>= 13.0.0, < 13.5.9', 'status': 'affected'}]
Date Published
2025-03-21T14:34:49.570Z
Last Updated
2025-04-08T15:17:05.315Z