Skip to main content

Next.js CVE-2025-29927

CRITICAL
Improper Authorization (CWE-285)
2025-03-21 security-advisories@github.com
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Red Hat
9.1 CRITICAL
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Mar 28, 2026 - 18:32 vuln.today
Patch released
Mar 28, 2026 - 18:32 nvd
Patch available
PoC Detected
Sep 10, 2025 - 15:49 vuln.today
Public exploit code
CVE Published
Mar 21, 2025 - 15:15 nvd
CRITICAL 9.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 16 npm packages depend on next (15 direct, 1 indirect)

Ecosystem-wide dependent count for version 13.0.0.

DescriptionGitHub Advisory

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.

AnalysisAI

Next.js versions 1.11.4 through 15.2.2 contain a critical middleware authorization bypass via the x-middleware-subrequest header. Attackers can send crafted requests that skip middleware entirely, bypassing authentication, authorization, and security headers enforced at the middleware layer.

Technical ContextAI

Next.js middleware runs before route handlers and is commonly used for authentication, authorization, geo-restrictions, and CSP headers. The vulnerability exploits the x-middleware-subrequest internal header: when present with specific values, the framework treats the request as an internal subrequest and skips middleware execution entirely. This header is not stripped from external requests.

RemediationAI

Update to Next.js 12.3.5, 13.5.9, 14.2.25, or 15.2.3. If patching is not feasible, configure your reverse proxy or CDN to strip the x-middleware-subrequest header from all incoming requests. Do not rely solely on middleware for critical authorization checks.

CVE-2017-16877 HIGH POC
7.5 Nov 17

ZEIT Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to

CVE-2025-57822 MEDIUM POC
6.5 Aug 29

Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 6.5), this vulnerabil

CVE-2025-6087 CRITICAL
9.1 Jun 16

A remote code execution vulnerability (CVSS 9.1). Critical severity with potential for significant impact on affected sy

CVE-2026-41248 CRITICAL
9.1 Apr 24

Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @c

CVE-2025-48947 HIGH
7.7 Jun 04

A security vulnerability in Next.js applications. In Auth0 Next.js SDK (CVSS 7.7). High severity vulnerability requiring

CVE-2025-32421 LOW
3.7 May 14

Next.js is a React framework for building full-stack web applications. Rated low severity (CVSS 3.7), this vulnerability

CVE-2025-30218 LOW
1.7 Apr 02

Next.js is a React framework for building full-stack web applications. Rated low severity (CVSS 1.7), this vulnerability

CVE-2025-57752 MEDIUM
6.2 Aug 29

Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 6.2), this vulnerabil

CVE-2025-55173 MEDIUM
4.3 Aug 29

Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 4.3), this vulnerabil

CVE-2025-48068 LOW
2.3 May 30

Next.js is a React framework for building full-stack web applications. Rated low severity (CVSS 2.3), this vulnerability

CVE-2024-56332 MEDIUM
5.3 Jan 03

Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 5.3), this vulnerabil

Vendor StatusVendor

Share

CVE-2025-29927 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy