Authorization Bypass in Next.js Framework by Vercel
CVE-2025-29927
Key Information:
Badges
What is CVE-2025-29927?
CVE-2025-29927 is a vulnerability in the Next.js framework, developed by Vercel, which is widely used for building full-stack web applications using React. The vulnerability allows for an authorization bypass when checks are implemented within middleware, potentially enabling unauthorized access to sensitive application resources. Organizations leveraging Next.js for their web applications could face significant security risks, including unauthorized data access or manipulation, if they do not address this flaw promptly.
Technical Details
This vulnerability arises due to improper implementation of authorization checks in Next.js middleware, permitting attackers to bypass controls meant to secure access to specific application functionalities. The issue affects versions prior to 14.2.25 and 15.2.3. It is critical for organizations to upgrade their Next.js frameworks to these versions or later to ensure protection against potential exploitation.
Potential impact of CVE-2025-29927
-
Unauthorized Access: Attackers could gain unauthorized access to user data or restricted application features, compromising the integrity and confidentiality of sensitive information.
-
Data Manipulation Risks: Successful exploitation of this vulnerability may allow attackers to alter or delete data within the application, disrupting services or impacting user trust.
-
Compliance Violations: Organizations could face legal and regulatory repercussions if sensitive information is accessed or breached due to this vulnerability, leading to potential fines and reputational damage.
Affected Version(s)
next.js >= 11.1.4, < 12.3.5 < 11.1.4, 12.3.5
next.js >= 14.0.0, < 14.2.25 < 14.0.0, 14.2.25
next.js >= 15.0.0, < 15.2.3 < 15.0.0, 15.2.3
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
H-ISAC TLP White Threat Bulletin: Critical Authorization Bypass Vulnerability Announced For Next.js Middleware (CVE-2025-29927) | AHA
On March 23, 2025, a critical vulnerability in Next.js middleware was disclosed and tracked as CVE-2025-29927.

Next.js Middleware Flaw Lets Attackers Bypass Authorization
A critical vulnerability in Next.js middleware allows attackers unauthorized access and control, impacting all versions of the framework.

CrushFTP Warns of HPPS Port Vulnerability Enabling Unauthorized Access
Both CrushFTP, a popular file transfer technology, and Next.js have come under scrutiny due to significant vulnerabilities.
References
EPSS Score
92% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 📰
First article discovered by The Hacker News
- 🟡
Public PoC available
- 👾
Exploit known to exist
- 🥇
Vulnerability reached the number 1 worldwide trending spot
- 📈
Vulnerability started trending
Vulnerability published
Vulnerability Reserved