March 27 Advisory: Authentication Bypass Vulnerability in Next.js [CVE-2025-29927]
Date of Disclosure (source): March 24, 2025
CVE-2025-29927 is a critical vulnerability affecting Next.js versions 11.1.4 between 12.3.5, 13.0.0 to 13.5.8, 14.0.1 through 14.2.24, and 15.0.1 through 15.2.2.
If successfully exploited, this vulnerability allows a threat actor to bypass authorization checks within a Next.js application, that is if the authorization check occurs in middleware.
A technical analysis published by JFrog demonstrates how a malicious actor could exploit this weakness by sending a specially crafted HTTP request with the x-middleware-subrequest header to bypass the authorization check and access protected resources.
At the time of writing, CVE-2025-29927 has not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. However, malicious IP addresses were observed attempting to exploit this vulnerability in GreyNoise Visualizer (see query).
This issue has been patched in versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3. According to GitHub’s advisory, applications hosted on Vercel are not affected, as Vercel has implemented infrastructure-level protections.
For deployments where patching is not immediately feasible, GitHub recommends blocking external requests containing the x-middleware-subrequest header from reaching your Next.js application.
| Field | Details | |||||
|---|---|---|---|---|---|---|
| CVE-ID | CVE-2025-29927 – CVSS 9.1 (critical) – assigned by GitHub, Inc. | |||||
| Vulnerability Description | It is possible to bypass authorization checks within a Next.js application if those checks occur in middleware. | |||||
| Date of Disclosure | March 21, 2025. | |||||
| Affected Assets | Next.js routes or API endpoints relying on middleware for authorization, potentially exposing protected pages, user data, or admin functionality. | |||||
| Vulnerable Software Versions | Affected Next.js (npm) Versions:
|
|||||
| PoC Available? | A PoC technical analysis was published by Jfrog and is available here. | |||||
| Exploitation Status | While not listed on CISA KEV at the time of writing, malicious IPs were observed attempting to exploit this vulnerability in GreyNoise Visualizer (see query). | |||||
| Patch Status | This vulnerability is patched in the following versions:
For Next.js 11.X, the following workaround was recommended by the vendor. Additionally, GitHub’s security advisory notes that Next.js deployments hosted on Vercel are automatically protected against this vulnerability. |
|||||
Censys Perspective
At the time of writing, Censys observed 10,078,119 hosts utilizing Next.js software. The overwhelming majority of these hosts did not expose version information therefore inferring vulnerability is not possible in most instances.
Around ~4.5k hosts did expose a version, 95 of which exposed a version that is vulnerable to this exploit. Version information was derived from values in the X-Powered-By header of Next.js applications or the generator meta tag in the HTML source code. It’s possible that this number is an underestimate if there are alternative methods for identifying exposed versions that we are not aware of.
The following query can be used in Censys Platform to detect Next.js applications that were observed exposing a version:
web.software.cpe =~ 'cpe:2.3:a:vercel:nextjs:[\\d.]+' or host.services.software.cpe =~ 'cpe:2.3:a:vercel:nextjs:[\\d.]+'
Map of Next.js Applications Exposing a Vulnerable Version:
Censys Search Query:
services.software: (vendor="Vercel" and product="Next.js")
Censys Platform Query:
host.services.software: (vendor: "vercel" and product: "nextjs") or web.software: (vendor: "vercel" and product: "nextjs")
Censys ASM Query:
host.services.software: (vendor="Vercel" and product="Next.js")
Risk:
risks.name = "Vulnerable Next.js [CVE-2025-29927]"
Please note these fingerprints were recently modified and results may take up to 24 hours to fully propagate.
