kOaDT
Back to homepage
#nextjs#security#cve#authorization-bypass

Critical Next.js Vulnerability - CVE-2025-29927 Exposed

2 min read

Discover the recent security threat affecting Next.js applications. CVE-2025-29927 allows attackers to bypass authorization checks, impacting self-hosted deployments. Learn about the vulnerability, who's affected, and immediate actions to safeguard your applications. Stay informed and secure your Next.js projects today.

Critical Next.js Vulnerability - CVE-2025-29927 Exposed

Understanding the Threat

Next.js, a popular React framework for building full-stack web applications, has recently faced a significant security challenge. The vulnerability, identified as CVE-2025-29927, allows attackers to bypass authorization checks within Next.js applications. This flaw affects versions prior to 14.2.25 and 15.2.3, posing a serious risk to self-hosted deployments.

The Vulnerability Breakdown

At the heart of the issue is the x-middleware-subrequest header. This internal header is used to prevent recursive requests from triggering infinite loops.

However, a security report revealed that it was possible to skip running Middleware. This oversight could allow requests to bypass critical checks, such as authorization cookie validation, before reaching routes.

Who's Affected?

  • Self-hosted Next.js applications using Middleware (next start with output: standalone) are at risk.
  • Applications relying on Middleware for auth or security checks that are not validated later in the application flow.

Who's Safe?

  • Applications hosted on Vercel, Netlify, and Cloudflare are not affected.
  • Applications deployed as static exports (Middleware not executed) are also safe.

Timeline of Events

  • February 27, 2025: Disclosure to the Next.js team via GitHub private vulnerability reporting.
  • March 14, 2025: Next.js team began triaging the report and pushed patches for versions 14.x and 15.x.
  • March 17, 2025: Next.js 14.2.25 released.
  • March 18, 2025: Next.js 15.2.3 released.
  • March 18, 2025: CVE-2025-29927 issued by GitHub.
  • March 21, 2025: Security Advisory published.

Immediate Actions

To safeguard your applications:

  • Update Immediately: Upgrade to Next.js version 14.2.25 or 15.2.3 or later.
  • Prevent External Requests: If updating is not feasible, block external user requests containing the x-middleware-subrequest header from reaching your Next.js application.

Additional Measures

For those unable to update immediately, implementing additional server-side checks for authorization in your app logic can serve as a temporary workaround. This ensures that even if Middleware is bypassed, your application remains secure.

Proof of Concept

A comprehensive proof of concept (POC) has been developed to demonstrate this vulnerability. This POC includes both a vulnerable Next.js application and an exploit script, making it an excellent educational resource for understanding the security implications.

Key Features of the POC

  • Demo Application: Includes a protected dashboard route to demonstrate the vulnerability
  • Exploit Script: A testing tool that can verify if any Next.js application is vulnerable
  • Detailed Documentation: Comprehensive instructions for setup and testing
  • Fix Implementation: Includes guidance on proper security implementations

Testing for Vulnerability

The POC's exploit script can be used to test any Next.js application with a simple command:

bash
1npm run exploit <target-url>

The tool will then:

  1. Test the route with a normal request
  2. Attempt to bypass middleware using the x-middleware-subrequest header
  3. Compare responses to determine vulnerability status

Sources:

  • https://nextjs.org/blog/cve-2025-29927
  • https://nvd.nist.gov/vuln/detail/CVE-2025-29927
  • https://github.com/advisories/GHSA-f82v-jwr5-mffw
  • https://github.com/kOaDT/poc-cve-2025-29927