IntroductionOn March 21, 2025, a critical vulnerability, CVE-2025-29927, was publicly disclosed with a CVSS score of 9.1, signifying high severity. Discovered by security researcher Rachid Allam, the flaw enables attackers to bypass authorization checks in Next.js Middleware, potentially granting unauthorized access to protected resources. This poses a risk to applications that rely on Middleware to enforce user authorization, validate session data, control route access, handle redirections, and manage UI visibility based on user roles or permissions. RecommendationsUsers whose applications leverage Next.js Middleware for authorization are strongly urged to: Update applications: Upgrade to the patched version listed in the affected versions section below.Stop header exploits: For applications running version greater than 11.1.4 and less than or equal to 13.5.6, where no secure version is available, configure load balancers or web servers to block external requests containing the x-middleware-subrequest header from reaching the Next.js application.Affected VersionsThe following table describes impacted Next.js versions, along with a corresponding patched version.Impacted VersionPatched Version%26gt; 11.1.4 %26lt;= 13.5.6None%26gt; 12.0 %26lt; 12.3.512.3.5%26gt; 13.0 %26lt; 13.5.913.5.9%26gt; 14.0 %26lt; 14.2.2514.2.25%26gt; 15.0 %26lt; 15.2.315.2.3Table 1: Table of impacted Next.js versions and their corresponding patched versions.BackgroundCVE-2025-29927 is an authorization bypass that allows attackers to circumvent Next.js Middleware controls entirely. By including a specially crafted x-middleware-subrequest HTTP header in requests, attackers can bypass authorization checks and gain unauthorized access to protected resources.Potential impacts of this vulnerability include:Unauthorized access: Attackers could gain access to private resources, APIs, or restricted application areas.Data exposure: Exploiting this flaw could lead to the theft of sensitive user information.Privilege escalation: Attackers might execute malicious actions, such as accessing administrative features or altering server states.Content Security Policy (CSP) Bypass: Middleware could be manipulated to modify CSP headers or cookies, potentially compromising application integrity.Cache poisoning: In certain configurations, attackers could exploit Middleware to force the caching of 404 responses in applications using a CDN between the Next.js application and the end user. This could r
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: