← back
CVE-2025-29927

Authorization Bypass in Next.js Middleware

CVSS 9.1 CRITICALEPSS 99.6%CWE-285
In short

Next.js versions 1.11.4 through 15.2.2 allow attackers to bypass authorization checks implemented in middleware by manipulating the x-middleware-subrequest header, potentially granting unauthorized access to protected resources.

Technical detail

Authorization bypass in Next.js middleware occurs when an attacker crafts requests with a spoofed x-middleware-subrequest header, causing the authorization logic to be skipped or misinterpreted. This affects versions 1.11.4 to 15.2.2; the vulnerability is patched in 12.3.5, 13.5.9, 14.2.25, and 15.2.3. The attack requires network access to the application and results in circumvention of authorization controls.

Summary generated and translated by AI from the official description.
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected products
vercel · next.js
public PoCs found121
githubgithub.com/aydinnyunus/CVE-2025-2992799githubgithub.com/AnonKryptiQuz/NextSploit91githubgithub.com/websecnl/CVE-2025-29927-PoC-Exploit19githubgithub.com/6mile/nextjs-CVE-2025-2992719githubgithub.com/lirantal/vulnerable-nextjs-14-CVE-2025-2992715githubgithub.com/azu/nextjs-cve-2025-29927-poc15githubgithub.com/UNICORDev/exploit-CVE-2025-2992711githubgithub.com/phoscoder/ghost-route9githubgithub.com/MuhammadWaseem29/CVE-2025-29927-POC9githubgithub.com/gotr00t0day/CVE-2025-299278githubgithub.com/kOaDT/poc-cve-2025-299277githubgithub.com/KaztoRay/CVE-2025-29927-Research7githubgithub.com/strobes-security/nextjs-vulnerable-app6githubgithub.com/HoumanPashaei/CVE-2025-299275githubgithub.com/alihussainzada/CVE-2025-29927-PoC5githubgithub.com/fourcube/nextjs-middleware-bypass-demo5githubgithub.com/Ademking/CVE-2025-299274githubgithub.com/t3tra-dev/cve-2025-29927-demo4githubgithub.com/RoyCampos/CVE-2025-299274githubgithub.com/Eve-SatOrU/POC-CVE-2025-299273githubgithub.com/0xWhoknows/CVE-2025-299273githubgithub.com/luq0x/0xMiddleware3githubgithub.com/c0dejump/CVE-2025-29927-check3githubgithub.com/EQSTLab/CVE-2025-299272githubgithub.com/arvion-agent/next-CVE-2025-299272githubgithub.com/pouriam23/Next.js-Middleware-Bypass-CVE-2025-29927-2githubgithub.com/kh4sh3i/CVE-2025-299272githubgithub.com/ferpalma21/Automated-Next.js-Security-Scanner-for-CVE-2025-299272githubgithub.com/nicknisi/next-attack2githubgithub.com/emadshanab/CVE-2025-299272githubgithub.com/TheresAFewConors/CVE-2025-29927-Testing2githubgithub.com/Nekicj/CVE-2025-29927-exploit2githubgithub.com/lem0n817/CVE-2025-299272githubgithub.com/lstudlo/nextjs-cve-demo2githubgithub.com/Oyst3r1ng/CVE-2025-299272githubgithub.com/mhamzakhattak/CVE-2025-299271githubgithub.com/kuzushiki/CVE-2025-29927-test1githubgithub.com/ricsirigu/CVE-2025-299271githubgithub.com/yugo-eliatrope/test-cve-2025-299271githubgithub.com/jmbowes/NextSecureScan1githubgithub.com/m2hcz/PoC-for-Next.js-Middleware1githubgithub.com/nocomp/CVE-2025-29927-scanner1githubgithub.com/w2hcorp/CVE-2025-29927-PoC1githubgithub.com/Kamal-418/Vulnerable-Lab-NextJS-CVE-2025-299271githubgithub.com/alastair66/CVE-2025-299271githubgithub.com/pixilated730/NextJS-Exploit-1githubgithub.com/0xnxt1me/CVE-2025-299271githubgithub.com/rubbxalc/CVE-2025-299271githubgithub.com/olimpiofreitas/CVE-2025-29927-scanner1githubgithub.com/moften/CVE-2025-29927_Next.js_Auth_Bypass1githubgithub.com/kazuya256/next-js-auth-bypass1githubgithub.com/iteride/CVE-2025-299271githubgithub.com/sermikr0/nextjs-middleware-auth-bypass1githubgithub.com/Bongni/CVE-2025-299271githubgithub.com/liamromanis101/CVE-2025-29927-NextJS1githubgithub.com/DanielHallbro/CVE-2025-29927-Nextjs-Bypass-PoC1githubgithub.com/dedibagus/cve-2025-29927-poc0githubgithub.com/0xb1lal/CVE-2025-299270githubgithub.com/JOOJIII/CVE-2025-299270githubgithub.com/Naveen-005/Next.Js-middleware-bypass-vulnerability-CVE-2025-299270githubgithub.com/Gokul-Krishnan-V-R/cve-2025-299270githubgithub.com/fahimalshihab/NextBypass0githubgithub.com/sn1p3rt3s7/NextJS_CVE-2025-299270githubgithub.com/Balajih4kr/cve-2025-299270githubgithub.com/YEONDG/nextjs-cve-2025-299270githubgithub.com/furmak331/CVE-2025-299270githubgithub.com/Si-Ni/CVE-2025-29927-Proof-of-Concept0githubgithub.com/ValGrace/middleware-auth-bypass0githubgithub.com/sangrok-jeon/CVE-2025-29927-Nextjs-Analysis0githubgithub.com/pickovven/vulnerable-nextjs-14-CVE-2025-299270githubgithub.com/l1uk/nextjs-middleware-exploit0githubgithub.com/darklotuskdb/nextjs-CVE-2025-29927-hunter0githubgithub.com/ethanol1310/POC-CVE-2025-29927-0githubgithub.com/elshaheedy/CVE-2025-29927-Sigma-Rule0githubgithub.com/Knotsecurity/CVE-2025-29927-NextJs-Middleware-Simulation0githubgithub.com/hujiaozhuzhu/CVE-2025-29927__Next.js0githubgithub.com/enochgitgamefied/NextJS-CVE-2025-299270githubgithub.com/Grand-Moomin/Vuln-Next.js-CVE-2025-299270githubgithub.com/iSee857/CVE-2025-299270githubgithub.com/ticofookfook/poc-nextjs-CVE-2025-299270githubgithub.com/serhalp/test-cve-2025-299270githubgithub.com/Hirainsingadia/CVE-2025-299270githubgithub.com/Heimd411/CVE-2025-29927-PoC0githubgithub.com/Toddkk02/CVE-2025-299270githubgithub.com/shahin-shadow/nextjs-auth-bypass0githubgithub.com/TheWaterbug/alpr-dashboard-patches0githubgithub.com/EarthAngel666/x-middleware-exploit0githubgithub.com/metasploit403/cve-2025-29927-lab0githubgithub.com/enochgitgamefied/NextJS-CVE-2025-29927-Docker-Lab0githubgithub.com/sagsooz/CVE-2025-299270githubgithub.com/SugiB3o/vulnerable-nextjs-14-CVE-2025-299270githubgithub.com/amitlttwo/Next.JS-CVE-2025-299270githubgithub.com/Nayekah/Next.js-Proof-of-Concept0githubgithub.com/mickhacking/Thank-u-Next0githubgithub.com/sahbaazansari/CVE-2025-299270githubgithub.com/b4sh0xf/PoC-CVE-2025-299270githubgithub.com/rgvillanueva28/vulnbox-easy-CVE-2025-299270githubgithub.com/s11s11/CVE-2025-299270githubgithub.com/R3verseIN/Nextjs-middleware-vulnerable-appdemo-CVE-2025-299270githubgithub.com/zs1n/CVE-2025-299270githubgithub.com/MKIRAHMET/CVE-2025-29927-PoC0githubgithub.com/adjscent/vulnerable-nextjs-14-CVE-2025-299270githubgithub.com/sdrtba/CVE-2025-299270githubgithub.com/bk-security/auth-header-trust-rules0githubgithub.com/aleongx/CVE-2025-299270githubgithub.com/w3shinew/CVE-2025-299270githubgithub.com/gitgudKrish/cve-2025-29927-nextjs0githubgithub.com/aleongx/CVE-2025-29927_Scanner0githubgithub.com/maronnjapan/claude-create-CVE-2025-299270githubgithub.com/amalpvatayam67/day10-nextjs-middleware-lab0githubgithub.com/0xcucumbersalad/cve-2025-299270githubgithub.com/kuyrathdaro/cve-2025-299270githubgithub.com/yuzu-juice/CVE-2025-29927_demo0githubgithub.com/0xPThree/next.js_cve-2025-299270githubgithub.com/jeymo092/cve-2025-299270githubgithub.com/SwapnilDeshpande/cve-2025-29927-lab0githubgithub.com/0xPb1/Next.js-CVE-2025-299270githubgithub.com/dante01yoon/CVE-2025-299270githubgithub.com/ayato-shitomi/WebLab_CVE-2025-299270githubgithub.com/Fomovet/cve-2025-299270exploitdbwww.exploit-db.com/exploits/52124unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48https://github.com/vercel/next.js/releases/tag/v12.3.5https://github.com/vercel/next.js/releases/tag/v13.5.9https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffwhttps://security.netapp.com/advisory/ntap-20250328-0002/http://www.openwall.com/lists/oss-security/2025/03/23/3http://www.openwall.com/lists/oss-security/2025/03/23/4