Vulnerability Report

CVE-2025-29927

Title: Vercel Next.Js Auth Bypass

Other

Proof Of Concept

PoC Available for CVE-2025-29927

CWE Category CWE-863

Published Date Mar 21, 2025

Modified Date Sep 10, 2025

Exploit Status Available

Score 9.1 CVSS v3.1

Exploit Probability (EPSS)

92.12%

Vulnerability Summary

CVE-2025-29927: Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.

Impacted Vendors

vercel 1

kanopi 1

zeit 1

Reference Links

https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2 https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48 https://github.com/vercel/next.js/releases/tag/v12.3.5 https://github.com/vercel/next.js/releases/tag/v13.5.9 https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw http://www.openwall.com/lists/oss-security/2025/03/23/3 http://www.openwall.com/lists/oss-security/2025/03/23/4 https://security.netapp.com/advisory/ntap-20250328-0002/

CVSS v3.1

Source Entity [email protected]

Severity CRITICAL

9.1

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2025-29927 Exploits & PoCs (Proof Of Concept)

GitHub https://github.com/6mile/nextjs-CVE-2025-29927

View Code

GitHub https://github.com/emadshanab/CVE-2025-29927

View Code

GitHub https://github.com/aydinnyunus/CVE-2025-29927

View Code

Exploit-DB https://www.exploit-db.com/exploits/52124

View Code

September 10, 2025 MODIFIED

Vulnerability data or affected products updated.

September 10, 2025 MODIFIED

Vulnerability data updated via NVD.

March 21, 2025 PUBLISHED

Vulnerability first announced in NVD.

Attack Vector Matrix

Access Vector NETWORK

Complexity LOW

Privileges N/A

Interaction NONE

CVSS Vector String


                                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected Stack

No specific products linked.