CyberSecurity news
FlagThis
@blog.criminalip.io
//
A critical authentication bypass vulnerability, CVE-2025-29927, has been discovered in Vercel's Next.js framework. The flaw resides in Next.js middleware, a feature designed to intercept incoming HTTP requests for tasks like authentication, logging, and request modification. This vulnerability allows attackers to circumvent middleware authorization checks, gaining unauthorized access to protected resources. Criminal IP identified over 520,000 assets potentially at risk, emphasizing the widespread impact of this flaw.
Next.js middleware is used for authentication/authorization, request modification, server-side redirects, and Content Security Policy (CSP) implementation. An attacker can bypass these middleware controls by adding a specially crafted `x-middleware-subrequest` header to their HTTP requests. This tricks the application into treating the request as an internal subrequest, effectively bypassing authorization checks. According to the report, the root cause of the vulnerability lies in the `beforeFiles` routing logic within Next.js.
The vulnerability affects Next.js versions from 13.4 and above, but prior to 14.1.0. Vercel addressed the vulnerability in versions after v14.1.0-canary.35. Users are strongly advised to upgrade to Next.js version 14.1.0-canary.35 or later to mitigate the risk. Next.js deployments hosted on Vercel are automatically protected against this vulnerability, self-hosted Next.js applications remain vulnerable unless patched or mitigated. This issue can lead to serious security risks, including data exposure and application compromise.
ImgSrc: i0.wp.com
References :
Next.js middleware is used for authentication/authorization, request modification, server-side redirects, and Content Security Policy (CSP) implementation. An attacker can bypass these middleware controls by adding a specially crafted `x-middleware-subrequest` header to their HTTP requests. This tricks the application into treating the request as an internal subrequest, effectively bypassing authorization checks. According to the report, the root cause of the vulnerability lies in the `beforeFiles` routing logic within Next.js.
The vulnerability affects Next.js versions from 13.4 and above, but prior to 14.1.0. Vercel addressed the vulnerability in versions after v14.1.0-canary.35. Users are strongly advised to upgrade to Next.js version 14.1.0-canary.35 or later to mitigate the risk. Next.js deployments hosted on Vercel are automatically protected against this vulnerability, self-hosted Next.js applications remain vulnerable unless patched or mitigated. This issue can lead to serious security risks, including data exposure and application compromise.
ImgSrc: i0.wp.com
Share:
References :
- CIP Blog: Criminal IP Blog Article on Next.js Middleware Vulnerability Allows Authentication Bypass: Over 520K Assets at Risk
- infosecwriteups.com: Infosec Write-ups Article on How Hackers Exploit CVE-2025–29927 in Next.js Like a Pro
- projectdiscovery.io: Project Discovery Blog on Nextjs Middleware Authorization Bypass
- Anonymous ???????? :af:: A critical vulnerability in Next.js middleware, CVE-2025-29927, allows authentication bypass, exposing over 520K assets
- blog.criminalip.io: On March 21, 2025, an authentication bypass vulnerability in Vercel’s Next.js framework, identified as CVE-2025-29927, was disclosed.
Classification:
- HashTags: #NextJS #Middleware #AuthenticationBypass
- Company: Next.js
- Target: Web Applications
- Product: Next.js
- Feature: Authentication Bypass
- Malware: CVE-2025-29927
- Type: Vulnerability
- Severity: Major