Next.js CVE-2025-29927: Middleware Authorisation Bypass Vulnerability

Published: Wed 26 March 2025

Prepared by: Adam Skupien, Vulnerability Security Analyst

Purpose

This bulletin addresses a critical middleware authorisation bypass vulnerability in the Next.js web development framework CVE-2025-29927.

An available exploit enables a remote attacker to bypass security checks—including various forms of authentication—potentially gaining unauthorised access to sensitive areas. Organisations using affected Next.js applications are urged to implement the recommended remediation measures immediately.

On 25 March 2025, the Australian Cyber Security Centre (ACSC) issued a disclosure on CVE-2025-29927, advising that all organisations patch their Next.js deployments.

A temporary workaround is available for environments where patching is not immediately feasible. This workaround involves blocking external user requests containing the x-middleware-subrequest header from reaching the Next.js application.

Vulnerability details

On 22 March 2025, Vercel published a vulnerability disclosure for CVE-2025-29927 and released patches to address the issue. Self-hosted Next.js applications using Middleware (next start with output: standalone) running the following versions of Next.js are affected:

• Next.js prior to 15.2.3
• Next.js prior to 14.2.25
• Next.js prior to 13.5.9
• Next.js prior to 12.3.5

Next.js applications hosted on Vercel and Netlify are not affected.

The vulnerability arises from a flaw in the Next.js middleware that may allow requests to bypass critical security checks—such as authorisation—if those checks are not performed later in the application flow. A public proof-of-concept exploit is available for this vulnerability, however no known active exploitation has yet been reported.

Impact

Exploitation of this vulnerability could enable an attacker to gain access to sensitive web pages reserved for administrators and high-privilege users.

Mitigation actions

Organisations running impacted versions of Next.js should take the following actions:

Apply patches by upgrading to a secure version:

• Next.js 15.x → 15.2.3 or later
• Next.js 14.x → 14.2.25 or later
• Next.js 13.x → 13.5.9 or later
• Next.js 12.x → 12.3.5 or later

Implement a workaround if patching is not immediately possible:

• Configure your firewall to block external requests that include the x-middleware-subrequest header from reaching your Next.js application. Applications using Cloudflare can turn on a Managed WAF rule to block potentially malicious requests.
  
  

Detection capabilities

Detection logic for this vulnerability has been integrated into vulnerability scanning tools by vendors such as Rapid7 and Qualys. For example:

• Qualys customers can scan using QID 151052 to identify potentially affected systems.
• Monitoring web application firewall logs for requests containing the x-middleware-subrequest header can help uncover suspicious activity.
• Triskele Labs DefenceShield customers using our Assess (Vulnerability Scanning service) and Monitor (24×7 SIEM) solutions are being actively assessed and monitored for indicators of compromise (IOCs) and lateral movement.

References

• https://github.com/advisories/GHSA-f82v-jwr5-mffw
• https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/nextjs-authentication-bypass-vulnerability-cve-2025-29927
• https://nextjs.org/blog/cve-2025-29927
• https://developers.cloudflare.com/changelog/2025-03-22-next-js-vulnerability-waf/
• https://github.com/lirantal/vulnerable-nextjs-14-CVE-2025-29927