CVE-2025-29927

CVSS v3.1

9.4

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Next.js versions 11.1.4 through 15.2.2

Description Next.js is susceptible to an authorization bypass vulnerability when authorization checks are performed within middleware. An attacker can exploit this flaw by manipulating the

x-middleware-subrequest

header, allowing them to bypass security measures and gain unauthorized access to protected routes. This vulnerability has a CVSS score of 9.1 and has been actively exploited. The vulnerability affects versions 11.1.4 through 13.5.6, and versions 14.x prior to 14.2.25, and 15.x prior to 15.2.3. The vulnerability can be exploited to bypass authorization, potentially leading to data breaches and system compromise.

Recommendations Update to Next.js version 15.2.3 or later. If updating is not immediately possible, block requests containing the

x-middleware-subrequest

header at the web server or proxy level.

Fix

DoS

RCE

Incorrect Authorization

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-285

Related Identifiers

BDU:2025-03185

CVE-2025-29927

GHSA-F82V-JWR5-MFFW

Affected Products

Next.Js

CVE-2025-29927

Weakness Enumeration

Related Identifiers

Affected Products

References · 649