Authorization Bypass in Next.js Framework by Vercel
CVE-2025-29927

9.1CRITICAL

Key Information:

Vendor
Vercel
Status
Next.js
Vendor
CVE Published:
21 March 2025

Badges

🥇 Trended No. 1📈 Trended📈 Score: 81,300👾 Exploit Exists🟡 Public PoC🟣 EPSS 91%📰 News Worthy

What is CVE-2025-29927?

CVE-2025-29927 is a vulnerability in the Next.js framework, developed by Vercel, which is widely used for building full-stack web applications using React. The vulnerability allows for an authorization bypass when checks are implemented within middleware, potentially enabling unauthorized access to sensitive application resources. Organizations leveraging Next.js for their web applications could face significant security risks, including unauthorized data access or manipulation, if they do not address this flaw promptly.

Technical Details

This vulnerability arises due to improper implementation of authorization checks in Next.js middleware, permitting attackers to bypass controls meant to secure access to specific application functionalities. The issue affects versions prior to 14.2.25 and 15.2.3. It is critical for organizations to upgrade their Next.js frameworks to these versions or later to ensure protection against potential exploitation.

Potential impact of CVE-2025-29927

  1. Unauthorized Access: Attackers could gain unauthorized access to user data or restricted application features, compromising the integrity and confidentiality of sensitive information.

  2. Data Manipulation Risks: Successful exploitation of this vulnerability may allow attackers to alter or delete data within the application, disrupting services or impacting user trust.

  3. Compliance Violations: Organizations could face legal and regulatory repercussions if sensitive information is accessed or breached due to this vulnerability, leading to potential fines and reputational damage.

Affected Version(s)

next.js >= 11.1.4, < 12.3.5 < 11.1.4, 12.3.5

next.js >= 14.0.0, < 14.2.25 < 14.0.0, 14.2.25

next.js >= 15.0.0, < 15.2.3 < 15.0.0, 15.2.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-29927
Created by Ademking

exploit-CVE-2025-29927
Created by UNICORDev

nextjs-CVE-2025-29927-hunter
Created by darklotuskdb

News Articles

favicon imageAmerican Hospital Association

H-ISAC TLP White Threat Bulletin: Critical Authorization Bypass Vulnerability Announced For Next.js Middleware (CVE-2025-29927) | AHA

On March 23, 2025, a critical vulnerability in Next.js middleware was disclosed and tracked as CVE-2025-29927.

3 weeks ago

favicon imageCyber Security Agency of Singapore

Critical Vulnerability in Next.js

Next.js has released updates addressing a critical vulnerability (CVE-2025-29927) in Next.js React framework, which is used for building web applications...

4 weeks ago

favicon imageCyberScoop

Researchers raise alarm about critical Next.js vulnerability

The software defect in the widely used open-source JavaScript framework allows attackers to bypass middleware-based authorization.

4 weeks ago

References

https://github.com/vercel/next.js/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/vercel/next.js/commit/52a078da3884efe6...
x_refsource_MISC
https://github.com/vercel/next.js/commit/5fd3ae8f8542677c...
x_refsource_MISC

EPSS Score

91% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 📰

    First article discovered by The Hacker News

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • 🥇

    Vulnerability reached the number 1 worldwide trending spot

  • 📈

    Vulnerability started trending

  • Vulnerability published

  • Vulnerability Reserved

.