CyberSecurity news
FlagThis
@cyberalerts.io
//
A critical vulnerability has been discovered in the widely-used Next.js framework, identified as CVE-2025-29927. This flaw allows attackers to bypass authorization checks within the framework's middleware system. Middleware is commonly used to enforce authentication, authorization, path rewriting, and security-related headers, making this vulnerability particularly severe. Vercel, the company behind Next.js, disclosed the issue on March 21st, 2025, highlighting its potential impact on services relying on vulnerable versions of the framework.
To mitigate the risk, developers using Next.js version 11 or higher are urged to update to the patched versions: 15.2.3, 14.2.25, 13.5.9, or 12.3.5. For those unable to immediately update, a temporary workaround involves blocking user requests with the 'x-middleware-subrequest' header. Some hosting platforms, like Vercel and Netlify, have already implemented this measure to protect their users. The vulnerability allows login screens to be bypassed without proper credentials, potentially compromising user data and sensitive information.
ImgSrc: blogger.googleu
References :
To mitigate the risk, developers using Next.js version 11 or higher are urged to update to the patched versions: 15.2.3, 14.2.25, 13.5.9, or 12.3.5. For those unable to immediately update, a temporary workaround involves blocking user requests with the 'x-middleware-subrequest' header. Some hosting platforms, like Vercel and Netlify, have already implemented this measure to protect their users. The vulnerability allows login screens to be bypassed without proper credentials, potentially compromising user data and sensitive information.
ImgSrc: blogger.googleu
Share:
References :
- securityonline.info: Urgent: Patch Your Next.js for Authorization Bypass (CVE-2025-29927)
- Open Source Security: Re: CVE-2025-29927: Authorization Bypass in Next.js Middleware
- isc.sans.edu: ISC SANS posting on the Next.js vulnerability
- bsky.app: It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.
- Lobsters: How to find Next.js on your network
- Strobes Security: When security vulnerabilities appear in popular frameworks, they can affect thousands of websites overnight. That’s exactly what’s happening with a newly discovered Next.js vulnerability, one of the most widely used...
- securityaffairs.com: Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks
- Open Source Security: CVE-2025-29927: Authorization Bypass in Next.js Middleware
- socradar.io: Next.js Middleware Vulnerability (CVE-2025-29927): What You Need to Know and How to Respond
- thehackernews.com: Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks
- securityboulevard.com: CVE-2025-29927 – Understanding the Next.js Middleware Vulnerability
- BleepingComputer: Critical flaw in Next.js lets hackers bypass authorization
- Help Net Security: Help Net Security reports on the critical Next.js authentication bypass vulnerability.
- cyberscoop.com: Researchers raise alarm about critical Next.js vulnerability
- Legit Security Blog: Next.js Vulnerability: What You Need to Know
- Resources-2: Discovered a critical vulnerability affecting Next.js middleware, tracked as CVE-2025-29927.
- The DefendOps Diaries: Understanding and mitigating CVE-2025-29927: a critical Next.js vulnerability
- Developer Tech News: Critical security flaw uncovered in Next.js framework
- nsfocusglobal.com: Next.js Middleware Permission Bypass Vulnerability (CVE-2025-29927)
- www.techradar.com: Critical security flaw in Next.js could spell big trouble for JavaScript users
- infosec.exchange: : Critical in NextJS (CVE-2025-29927) impacts all NextJS versions before 15.2.3, 14.2.25, 13.5.9, 12.3.5 allowing attackers to bypass authorisation checks. Great explanation and a Proof-of-Concept demonstration by @_JohnHammond 👇
- SOC Prime Blog: CVE-2025-29927 Next.js Middleware Authorization Bypass Vulnerability
- Kali Linux Tutorials: CVE-2025-29927 : Next.js Middleware Authorization Bypass – Technical Analysis
- DEVCLASS: Next.js team fixes vuln that allows authorization bypass when middleware is used, revises documentation recommending this method
- Rescana: Executive Summary The discovery of CVE-2025-29927 , a critical vulnerability in Next.js , has raised significant cybersecurity concerns...
- Stormshield: A critical authentication bypass vulnerability impacting the Next.js middleware has been reported. It has been assigned the reference CVE-2025-29927 and a CVSS 3.1 score of 9.1. It should be noted that proof of concept are publicly available about this CVE-2025-29927 vulnerability.
- Fastly Security Blog: CVE-2025-29927: Authorization Bypass in Next.js
- hackread.com: Researchers have uncovered a critical vulnerability (CVE-2025-29927) in Next.js middleware, allowing authorization bypass. Learn about the exploit and fixes.
- NCSC News Feed: The NCSC is encouraging UK organisations to take immediate action to mitigate a vulnerability (CVE-2025-29927) affecting the Next.js framework used to build web applications.
Classification:
- HashTags: #NextjsVulnerability #Cybersecurity #CVE
- Company: Next.js
- Target: Next.js
- Product: Next.js Framework
- Feature: Middleware
- Type: Vulnerability
- Severity: Major