Full Report
Hot on the heels of the disclosure of CVE-2025-24813, a newly uncovered RCE vulnerability in Apache Tomcat—actively exploited just 30 hours after its public disclosure and PoC release—another critical security threat has now emerged. Tracked as CVE-2025-29927, the newly uncovered vulnerability has been identified in the Next.js React framework, potentially giving adversaries the green light […] The post CVE-2025-29927 Next.js Middleware Authorization Bypass Vulnerability appeared first on SOC Prime.
Analysis Summary
# Vulnerability: Next.js Middleware Authorization Bypass Vulnerability
## CVE Details
- CVE ID: CVE-2025-29927
- CVSS Score: N/A (Severity implied as High due to impact)
- CWE: N/A (Specific CWE not provided in the text)
## Affected Systems
- Products: Next.js (Framework by Vercel)
- Versions: Versions prior to 14.2.25 and 15.2.3. Specifically mentioned vulnerable range involving versions 11.1.4 through 13.5.6 for workaround guidance.
- Configurations: Self-hosted applications. Vercel-hosted deployments are reported as automatically secured.
## Vulnerability Description
The vulnerability resides within the Next.js Middleware functionality, allowing attackers to bypass authorization checks. Exploitation is trivial, requiring only the addition of a specific HTTP header (`x-middleware-subrequest`). This bypass can lead to unauthorized access to protected routes, bypass Content Security Policies (leading to XSS attacks), or facilitate poison cache attacks by improperly setting cache controls.
## Exploitation
- Status: PoC available (Implied by the ease of exploitation and comparison to other recent disclosures, though explicit PoC availability is not guaranteed, the attack vector is simple).
- Complexity: Low (Simply adding an HTTP header).
- Attack Vector: Network
## Impact
- Confidentiality: High (Potential access to protected routes/data).
- Integrity: High (Potential for XSS attacks or cache poisoning).
- Availability: Low to Medium (Depending on the downstream effects of unauthorized access or cache manipulation).
## Remediation
### Patches
- Update Next.js to version **14.2.25** or higher.
- Update Next.js to version **15.2.3** or higher.
### Workarounds
- For vulnerable versions 11.1.4 through 13.5.6: Block external user requests containing the `x-middleware-subrequest` header from reaching the Next.js application.
## Detection
- **Indicators of Compromise:** Unauthorized access to routes protected by middleware checks, unusual traffic patterns containing the `x-middleware-subrequest` HTTP header.
- **Detection Methods and Tools:** Monitor ingress traffic for requests containing the `x-middleware-subrequest` header, especially when coupled with attempts to access restricted paths or unusual response codes.
## References
- Vendor Advisory: [github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw](https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw) (Defanged: `github[.]com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw`)