CVE-2025-29927

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2	Patch
https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48	Patch
https://github.com/vercel/next.js/releases/tag/v12.3.5	Release Notes
https://github.com/vercel/next.js/releases/tag/v13.5.9	Release Notes
https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw	Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/03/23/3	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2025/03/23/4	Mailing List
https://security.netapp.com/advisory/ntap-20250328-0002/	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:vercel:next.js::::::node.js::*
	cpe:2.3:a:vercel:next.js::::::node.js::*
	cpe:2.3:a:vercel:next.js::::::node.js::*
	cpe:2.3:a:vercel:next.js::::::node.js::*

History

No history.

Information

Published : 2025-03-21 15:15

Updated : 2025-09-10 15:49

NVD link : CVE-2025-29927

Mitre link : CVE-2025-29927

CVE.ORG link : CVE-2025-29927

JSON object : View

Products Affected

vercel

next.js

CWE

CWE-285

Improper Authorization

CWE-863

Incorrect Authorization

{"id": "CVE-2025-29927", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2025-03-21T15:15:42.660", "references": [{"url": "https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/vercel/next.js/releases/tag/v12.3.5", "tags": ["Release Notes"], "source": "[email protected]"}, {"url": "https://github.com/vercel/next.js/releases/tag/v13.5.9", "tags": ["Release Notes"], "source": "[email protected]"}, {"url": "https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2025/03/23/3", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2025/03/23/4", "tags": ["Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20250328-0002/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-285"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3."}, {"lang": "es", "value": "Next.js es un framework de React para crear aplicaciones web full-stack. En versiones anteriores a la 14.2.25 y la 15.2.3, era posible omitir las comprobaciones de autorizaci\u00f3n dentro de una aplicaci\u00f3n Next.js si esta se realizaba en middleware. Si no es posible aplicar una versi\u00f3n segura, se recomienda evitar que las solicitudes de usuarios externos que contengan el encabezado \"x-middleware-subrequest\" lleguen a la aplicaci\u00f3n Next.js. Esta vulnerabilidad se corrigi\u00f3 en las versiones 14.2.25 y 15.2.3."}], "lastModified": "2025-09-10T15:49:40.637", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "6D275D05-70E5-49CA-BCFE-74B31DB3D8EF", "versionEndExcluding": "12.3.5", "versionStartIncluding": "11.1.4"}, {"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "49731FD6-617A-42DE-9F95-A7F42809C32F", "versionEndExcluding": "13.5.9", "versionStartIncluding": "13.0.0"}, {"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "5F836D0E-1580-40C6-93E5-6DB939E7BA86", "versionEndExcluding": "14.2.25", "versionStartIncluding": "14.0.0"}, {"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "E214D84F-7B55-4089-B1C4-9BF8B7AC7375", "versionEndExcluding": "15.2.3", "versionStartIncluding": "15.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}