Full Report
The UK’s National Cyber Security Agency has called on Next.js users to patch CVE-2025-29927
Analysis Summary
# Vulnerability: Next.js Authorization Bypass via Internal Header Manipulation
## CVE Details
- CVE ID: CVE-2025-29927
- CVSS Score: Information not explicitly provided in the text. (Severity inferred as **Critical** due to NCSC alert and bypass of authorization checks)
- CWE: Likely related to Improper Access Control or CWE-862 (Missing Authorization) if related to request handling.
## Affected Systems
- Products: Next.js (React-based framework for full-stack web applications)
- Versions:
- All versions of 13.x before 13.5.9
- All versions of 14.x before 14.2.25
- All versions of 15.x before 15.2.3
- All versions from 11.1 (implied range)
- Configurations: Systems utilizing Next.js middleware where authorization checks are performed.
## Vulnerability Description
The vulnerability is an authorization bypass flaw stemming from improper handling of the internal header `x-middleware-subrequest`. This header is used by Next.js to prevent infinite loops caused by recursive requests. An attacker can send an external request that is incorrectly treated by the system as an internal request. This manipulation allows the attacker to bypass critical checks, such as authorization cookie validation, before the request reaches the intended route, leading to unauthorized access to sensitive data.
## Exploitation
- Status: **PoC available** (Proof-of-concept exploits are widely and freely available.)
- Complexity: Implied **Low** given the availability of public PoCs and the urgent warning from NCSC.
- Attack Vector: **Network** (Sending an external request).
## Impact
(Impact ratings are inferred based on the description of bypassing authorization and accessing sensitive data)
- Confidentiality: **High** (Unauthorized access to sensitive data)
- Integrity: **Medium/High** (Potential to modify data if an authorized endpoint is accessed)
- Availability: **Low/Medium** (If exploited to overload internal functions)
## Remediation
### Patches
Next.js maintainers released fixes on March 22. Users should upgrade to versions equal to or higher than:
- Next.js 13.5.9
- Next.js 14.2.25
- Next.js 15.2.3
### Workarounds
No specific workarounds were detailed in the provided text, but immediate patching is strongly urged.
## Detection
- Indicators of Compromise: Look for unusual or unexpected traffic patterns that appear to originate internally but attempt to access protected routes or endpoints typically guarded by middleware checks.
- Detection Methods and Tools: Monitor web server/application logs for requests that might be manipulating specific request headers, particularly `x-middleware-subrequest`, though detecting the bypass reliably without server-side logging analysis related to middleware execution might be difficult.
## References
- Vendor Advisories: Next.js Official Advisory (Information generally found via vendor channels related to the patch releases)
- Relevant links:
- [NCSC Alert Summary (General context)](infosecurity-magazine-com/news/ncsc-urges-patch-nextjs-flaw/)
- [Responsible Disclosure Context](infosecurity-magazine-com/news/openssf-security-framework-open/)