CVE-2025-29927

Name of the Vulnerable Software and Affected Versions Next.js versions 11.1.4 through 15.2.2

Description Next.js is susceptible to an authorization bypass vulnerability (CVE-2025-29927) with a CVSS score of 9.1. This flaw allows attackers to bypass middleware authorization checks by manipulating the x-middleware-subrequest header. Exploitation can lead to unauthorized access to protected resources. The vulnerability affects versions 11.1.4 through 15.2.2. Numerous reports indicate active exploitation of this vulnerability. A PoC exploit is publicly available. The vulnerability stems from improper trust of the internal x-middleware-subrequest header. Vercel-hosted applications are automatically protected.

Recommendations Update Next.js to version 15.2.3 or later, or 14.2.25 or later, or 13.5.9 or later, or 12.3.5 or later. If patching is not immediately possible, implement a workaround by blocking requests containing the x-middleware-subrequest header at the web server or proxy level.