Next.js CVE-2025-29927
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 16 npm packages depend on next (15 direct, 1 indirect)
Ecosystem-wide dependent count for version 13.0.0.
DescriptionGitHub Advisory
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
AnalysisAI
Next.js versions 1.11.4 through 15.2.2 contain a critical middleware authorization bypass via the x-middleware-subrequest header. Attackers can send crafted requests that skip middleware entirely, bypassing authentication, authorization, and security headers enforced at the middleware layer.
Technical ContextAI
Next.js middleware runs before route handlers and is commonly used for authentication, authorization, geo-restrictions, and CSP headers. The vulnerability exploits the x-middleware-subrequest internal header: when present with specific values, the framework treats the request as an internal subrequest and skips middleware execution entirely. This header is not stripped from external requests.
RemediationAI
Update to Next.js 12.3.5, 13.5.9, 14.2.25, or 15.2.3. If patching is not feasible, configure your reverse proxy or CDN to strip the x-middleware-subrequest header from all incoming requests. Do not rely solely on middleware for critical authorization checks.
ZEIT Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to
Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 6.5), this vulnerabil
A remote code execution vulnerability (CVSS 9.1). Critical severity with potential for significant impact on affected sy
Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @c
A security vulnerability in Next.js applications. In Auth0 Next.js SDK (CVSS 7.7). High severity vulnerability requiring
Next.js is a React framework for building full-stack web applications. Rated low severity (CVSS 3.7), this vulnerability
Next.js is a React framework for building full-stack web applications. Rated low severity (CVSS 1.7), this vulnerability
Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 6.2), this vulnerabil
Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 4.3), this vulnerabil
Next.js is a React framework for building full-stack web applications. Rated low severity (CVSS 2.3), this vulnerability
Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 5.3), this vulnerabil
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today