What is the CVSS score of CVE-2025-29927?

CVE-2025-29927 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 93.0%.

Which versions of Next.js are affected by CVE-2025-29927?

Organizations using version 1.11.4 and face critical risk from CVE-2025-29927 rated CVSS 9.1.. A patch is available.

Is there a public PoC exploit available for CVE-2025-29927?

Yes, a public proof-of-concept exploit is available for CVE-2025-29927. Prioritise patching immediately. EPSS: 93.0%.

How to fix or mitigate CVE-2025-29927?

Within 24 hours: Identify all affected systems running version 1.11.4 and and apply vendor patches immediately. Vendor patch is available.

Next.js CVE-2025-29927

CRITICAL

Improper Authorization (CWE-285)

2025-03-21 security-advisories@github.com

Authentication Bypass Red Hat Next.js

9.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:32 vuln.today

Patch released

Mar 28, 2026 - 18:32 nvd

Patch available

PoC Detected

Sep 10, 2025 - 15:49 vuln.today

Public exploit code

CVE Published

Mar 21, 2025 - 15:15 nvd

CRITICAL 9.1

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

16 npm packages depend on next (15 direct, 1 indirect)

Ecosystem-wide dependent count for version 13.0.0.

DescriptionNVD

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.

AnalysisAI

Next.js versions 1.11.4 through 15.2.2 contain a critical middleware authorization bypass via the x-middleware-subrequest header. Attackers can send crafted requests that skip middleware entirely, bypassing authentication, authorization, and security headers enforced at the middleware layer.

Technical ContextAI

Next.js middleware runs before route handlers and is commonly used for authentication, authorization, geo-restrictions, and CSP headers. The vulnerability exploits the x-middleware-subrequest internal header: when present with specific values, the framework treats the request as an internal subrequest and skips middleware execution entirely. This header is not stripped from external requests.

RemediationAI

Update to Next.js 12.3.5, 13.5.9, 14.2.25, or 15.2.3. If patching is not feasible, configure your reverse proxy or CDN to strip the x-middleware-subrequest header from all incoming requests. Do not rely solely on middleware for critical authorization checks.