THE THREAT
On March 22nd, Next.js released a security advisory addressing a critical authorization bypass vulnerability in the Next.js framework. The vulnerability, tracked as CVE-2025-29927 (CVSS: 9.1) allows an attacker to bypass authorization checks enforced by the middleware, which could give threat actors access to restricted pages meant for admins or users with higher privileges. Proof-of-Concept (PoC) exploit code is available, simplifying the attack process for less skilled threat actors.
Due to the high CVSS score, availability of vulnerable assets, and the release of PoC exploit code, the eSentire Threat Intelligence team assesses that real-world exploitation is probable in the near-term. Websites using Next.js for authorization should apply the recommended fixes immediately.
What we're doing about it
-
eSentire's Tactical Threat Response team has developed eSentire MDR for Network detections to identify exploitation attempts.
-
eSentire Managed Vulnerability Service (MVS) will add the relevant plugins to detect this vulnerability as they become available
-
The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities
What you should do about it
-
After performing a business impact review, apply the relevant security patches immediately
-
Upgrade to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3
-
If patching is not immediately possible, Next.js has recommended blocking any external requests that contain the "x-middleware-subrequest" header from reaching the web application
Additional information
Next.js is a React framework used to build interactive web applications. It is widely adopted by developers across various industries because of its features that enable the creation of complex web applications. The vulnerability resides in the middleware of Next.js framework. This middleware serves multiple purposes including path rewriting, server-side redirects, adding elements such as headers to the response and most critical authentication and authorization.
Security researcher Rachid Allam discovered and reported a critical vulnerability in Next.js in late February. He has since shared the technical details related to the flaw, along with a Proof-of-Concept (PoC) exploit code. The vulnerability stems from how the Next.js middleware function (runMiddleware) processes the "x-middleware-subrequest" request header. By modifying the value of this header, an attacker can bypass the middleware checks entirely. CVE-2025-29927, can be exploited to bypass authorization controls to access admin pages and other protected routes, to circumvent the Content Security Policy (CSP) header, which could potentially lead to Cross-Site Scripting (XSS) attacks, and to execute Denial-of-Service (DoS) attacks through cache poisoning.
Given the widespread adoption of Next.js and the release of PoC exploit code, it is crucial to address CVE-2025-29927 as quickly as possible. Applications that are self-hosted on Next.js and use middleware for access control mechanisms like authentication and authorization are particularly vulnerable if they are running a susceptible version of Next.js. However, applications deployed on platforms like Vercel, Netlify, or static deployments that do not rely on middleware are unaffected by this vulnerability.
Impacted Versions list:
-
Next.js versions starting from 11.1.14
References:
[1] https://nextjs.org/blog/cve-2025-29927
[2] https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware
[3] http://projectdiscovery.io/blog/nextjs-middleware-authorization-bypass#technical-detail
