By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2025-29927

Authorization Bypass
Affects
Next.js
>= 11.1.4
in
Next.js
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Next.js is a React framework for building web applications.

A vulnerability (CVE-2025-29927) has been identified in Next.js that allows for authentication bypass in applications using Middleware with a matcher.

An authorization bypass vulnerability occurs when a system fails to properly enforce access controls, allowing an attacker to gain access to resources or perform actions that they are not supposed to have permission to access. This can happen due to flaws in the design or implementation of the authentication or authorization mechanisms.

Authorization bypass is a critical security risk because it can lead to severe consequences, including:

  • Unauthorized Access: Attackers can access sensitive data, such as user information, financial records, or confidential business data.
  • Data Breaches: Successful exploitation can result in large-scale data breaches, compromising the privacy and security of users.
  • Account Takeovers: Attackers may be able to take control of user accounts, leading to identity theft and fraud.
  • System Compromise: In some cases, attackers can gain administrative access to the system, allowing them to modify or delete data, install malware, or disrupt services.

Details

Module Info

Vulnerability Info

This critical-severity vulnerability is found in the use of subrequest headers in the Next.js middleware authentication and authorization layer.

Due to insufficient validation, when an attacker manipulates the <-middleware-subrequest header they are able to bypass security checks and gain unauthorized access.

This vulnerability does not affect hosted application (whether on Vercel or Netlify) and does not affect applications deployed as static exports.

Credits

  • Allam Rachid (zhero;)
  • Allam Yasser (inzo_)

Mitigation

Next.js v13 and older have reached End-of-Life and have existing vulnerabilities but this critical vulnerability was deemed severe enough that the Next.js team has backported a fix.

Fixes are available in the latest versions of 12, 13, 14, and 15.  For older versions or for all other vulnerabilities in versions earlier than 14, users should apply one of the following mitigations:

  • Migrate to the latest version of Next.js
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.
Pink arrow
Pink arrow
CVE-2025-29927
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2025-29927
PROJECT Affected
Next.js
Versions Affected
>= 11.1.4
Published date
March 23, 2025
≈ Fix date
March 23, 2025
Fixed in
Next.js NES
Severity
Critical
Category
Authorization Bypass
Sign up for the latest vulnerability alerts fixed in
Next.js NES
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.