Authorization Bypass in Next.js Framework by Vercel
CVE-2025-29927

9.1CRITICAL

Key Information:

Vendor
Vercel
Status
Next.js
Vendor
CVE Published:
21 March 2025

Badges

๐Ÿ”ฅ Trending now๐Ÿฅ‡ Trended No. 1๐Ÿ“ˆ Trended๐Ÿ“ˆ Score: 76,700๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC๐ŸŸฃ EPSS 49%๐Ÿ“ฐ News Worthy

What is CVE-2025-29927?

CVE-2025-29927 is a vulnerability in the Next.js framework, developed by Vercel, which is widely used for building full-stack web applications using React. The vulnerability allows for an authorization bypass when checks are implemented within middleware, potentially enabling unauthorized access to sensitive application resources. Organizations leveraging Next.js for their web applications could face significant security risks, including unauthorized data access or manipulation, if they do not address this flaw promptly.

Technical Details

This vulnerability arises due to improper implementation of authorization checks in Next.js middleware, permitting attackers to bypass controls meant to secure access to specific application functionalities. The issue affects versions prior to 14.2.25 and 15.2.3. It is critical for organizations to upgrade their Next.js frameworks to these versions or later to ensure protection against potential exploitation.

Potential impact of CVE-2025-29927

  1. Unauthorized Access: Attackers could gain unauthorized access to user data or restricted application features, compromising the integrity and confidentiality of sensitive information.

  2. Data Manipulation Risks: Successful exploitation of this vulnerability may allow attackers to alter or delete data within the application, disrupting services or impacting user trust.

  3. Compliance Violations: Organizations could face legal and regulatory repercussions if sensitive information is accessed or breached due to this vulnerability, leading to potential fines and reputational damage.

Affected Version(s)

next.js >= 11.1.4, <= 1 3.5.6 <= 11.1.4, 1 3.5.6

next.js > 14.0.0, < 14.2.25 > 14.0.0, 14.2.25

next.js > 15.0.0, < 15.2.3 > 15.0.0, 15.2.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-29927
Created by Ademking

nextjs-cve-2025-29927-poc
Created by azu

cve-2025-29927-demo
Created by t3tra-dev

News Articles

favicon imageCyber Security Agency of Singapore

Critical Vulnerability in Next.js

Next.js has released updates addressing a critical vulnerability (CVE-2025-29927) in Next.js React framework, which is used for building web applications...

1 day ago

favicon imageCyberScoop

Researchers raise alarm about critical Next.js vulnerability

The software defect in the widely used open-source JavaScript framework allows attackers to bypass middleware-based authorization.

1 day ago

favicon imagedevclass

Next.js team fixes vuln that allows auth bypass when middleware is used, revises documentation recommending this method โ€ข DEVCLASS

Development Security Next.js team fixes vuln that allows auth bypass...

2 days ago

References

https://github.com/vercel/next.js/security/advisories/GHS...
x_refsource_CONFIRM

EPSS Score

49% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • ๐Ÿ“ฐ

    First article discovered by The Hacker News

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • ๐Ÿฅ‡

    Vulnerability reached the number 1 worldwide trending spot

  • ๐Ÿ“ˆ

    Vulnerability started trending

  • Vulnerability published

  • Vulnerability Reserved

.