CVE-2025-29927
High PUBLISHEDAuthorization Bypass in Next.js Middleware
Not yet in CISA KEV
Recommended Action
Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
At a Glance
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
- CVE Published
- Mar 21, 2025
- Exploitation Reported
- Jul 02, 2026
- CVSS
- 9.1 Critical
- EPSS
- —
Affected Versions
| Vendor | Product | Version | Status |
|---|---|---|---|
| vercel |
next.js
|
>= 11.1.4, < 12.3.5 |
Affected |
| vercel |
next.js
|
>= 14.0.0, < 14.2.25 |
Affected |
| vercel |
next.js
|
>= 15.0.0, < 15.2.3 |
Affected |
| vercel |
next.js
|
>= 13.0.0, < 13.5.9 |
Affected |
CVE References
- https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw github.com · CVE Record https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-...
- https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2 github.com · CVE Record https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a...
- https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48 github.com · CVE Record https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d1802...
- https://github.com/vercel/next.js/releases/tag/v12.3.5 github.com · CVE Record https://github.com/vercel/next.js/releases/tag/v12.3.5
- https://github.com/vercel/next.js/releases/tag/v13.5.9 github.com · CVE Record https://github.com/vercel/next.js/releases/tag/v13.5.9
Recommended Actions
- Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
- Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
- Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.
Known Exploited Vulnerability Sources
Catalogues that list this CVE as a known exploited vulnerability.
Per-source evidence links for KEV attestations are available through the KEVIntel Pro API.
Learn about Pro API access| Source | Added |
|---|---|
| The Shadowserver First | 2025-12-15 14:29 UTC |
Scanner Artifacts
Nuclei and Metasploit references linked to this CVE.
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-29927.yaml | Apr 25, 2025 |
Virtual Patch
Compensating WAF rules to help reduce exposure to this CVE. Rule content and deployable vendor exports are available with KEVIntel Enterprise.
KEVIntel does not currently have a virtual patch for this CVE. When available, KEVIntel virtual patches ship as deployable ModSecurity, Cloudflare, and AWS WAF rules.
Enterprise feature. Virtual patch rule content and deployable vendor exports (ModSecurity, Cloudflare, AWS WAF) are available to KEVIntel Enterprise users.
CVSS Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Exploitation Status
Exploited in the wild
Recorded 2026-07-02 00:00:00 UTC · The Shadowserver
Proof of concept available
Recorded 2025-03-28 02:31:58 UTC · GitHub
Weaknesses (CWE)
-
Improper Authorization
Scanner Integrations
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-29927.yaml | Apr 25, 2025 |
Recent Mentions
Rapid7 · Jun 26, 2026
Help shape the future of Metasploit FrameworkWe are planning future work in relation to the evasion capabilities present in Metasploit Framework, and how they function/are presented to users. We are currently accepting responses to our feedback form, which means that you can shape the future of how evasive capabilities are implemented in Metasploit Framework. The proposal for the changes can be found here, and you can submit your responses to the form here. The form will stop accepting responses on the 1st of July, 2026.New module content and improvements have also been added this week. This includes a Next.js Middleware Authorization Bypass scanner, LiteLLM Proxy SQL Injection, an unauthenticated API authentication bypass scanner for Audiobookshelf, a deserialization RCE in Dalfox, and improvements to service and host reporting in bruteforce-related modules.New module content (4)Audiobookshelf Unauthenticated API Authentication Bypass ScannerAuthors: Kenneth LaCroix and swiftbird07Type: AuxiliaryPull request: #21565 contributed by kenlacroixPath: scanner/http/audiobookshelf_auth_bypassAttackerKB reference: CVE-2025-25205Description: Adds audiobookshelf_auth_bypass, a detection module for CVE-2025-25205 — an unauthenticated API authentication bypass in Audiobookshelf (self-hosted audiobook/podcast server), affecting versions 2.17.0 – 2.19.0 (fixed in 2.19.1).BerriAI LiteLLM Proxy Pre-Auth SQL Injection ScannerAuthors: Kenneth LaCroix and Tencent YunDing Security LabType: AuxiliaryPull request: #21567 contributed by kenlacroixPath: scanner/http/litellm_proxy_sqliAttackerKB reference: CVE-2026-42208Description: Adds auxiliary/scanner/http/litellm_proxy_sqli, a detection module for CVE-2026-42208 (CVSS 9.3, on the CISA KEV list) — a pre-authentication SQL injection in BerriAI LiteLLM proxy.Next.js Middleware Authorization Bypass ScannerAuthors: Kenneth LaCroix, Rachid Allam, and Yasser AllamType: AuxiliaryPull request: #21566 contributed...
Potential Proof of Concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2025-04-25 08:51:52 UTC · 0 stars
Next.js middleware bypass exploit
github · Created 2025-04-23 08:19:58 UTC · 0 stars
CVE-2025-29927: Next.js Middleware Bypass Vulnerability
github · Created 2025-04-21 12:50:09 UTC · 1 stars
github · Created 2025-04-18 00:47:47 UTC · 0 stars
github · Created 2025-04-16 22:39:55 UTC · 0 stars
github · Created 2025-04-16 10:28:16 UTC · 0 stars
github · Created 2025-04-16 07:33:54 UTC · 0 stars
Simulates CVE-2025-29927, a critical Next.js vulnerability allowing attackers to bypass middleware authorization by exploiting the internal x-middleware-subrequest HTTP header. Demonstrates unauthorized access to protected routes and provides mitigation strategies.
github · Created 2025-04-14 15:12:13 UTC · 3 stars
Exploit for CVE-2025-29927 (Next.js) - Authorization Bypass
github · Created 2025-04-13 08:23:11 UTC · 0 stars
POC CVE-2025-29927
github · Created 2025-04-11 20:42:09 UTC · 1 stars
Next.js CVE-2025-29927 Hunter
github · Created 2025-04-08 23:25:24 UTC · 0 stars
github · Created 2025-04-08 09:29:48 UTC · 1 stars
github · Created 2025-04-06 20:59:10 UTC · 2 stars
Next.js Middleware Bypass Scanne
github · Created 2025-04-04 12:50:43 UTC · 0 stars
github · Created 2025-04-02 05:19:35 UTC · 0 stars
A basic proof of concept of the CVE-2025-29927 vulnerability that allows to bypass the middleware scripts.
github · Created 2025-04-01 19:23:52 UTC · 0 stars
github · Created 2025-04-01 19:11:30 UTC · 0 stars
Next.js CVE-2025-29927 güvenlik açığı hakkında
github · Created 2025-04-01 15:30:21 UTC · 0 stars
Next.js Middleware Bypass Vulnerability
github · Created 2025-03-30 12:24:15 UTC · 1 stars
github · Created 2025-03-30 03:52:42 UTC · 0 stars
Next.js Auth Bypass Lab ‐ CVE-2025-29927
github · Created 2025-03-29 08:49:38 UTC · 0 stars
Next.js CVE-2025-29927 demonstration
github · Created 2025-03-29 04:13:06 UTC · 1 stars
This script scans a list of URLs to detect if they are using **Next.js** and determines whether they are vulnerable to **CVE-2025-29927**. It optionally attempts exploitation using a wordlist.
github · Created 2025-03-29 02:12:22 UTC · 1 stars
Here is a simple but effective exploit for CVE-2025-29927.
github · Created 2025-03-28 02:31:58 UTC · 0 stars
This repository is for educational and research purposes.
github · Created 2025-03-27 14:11:09 UTC · 0 stars
python script for evaluate if you are vulnerable or not to next.js CVE-2025-29927
github · Created 2025-03-27 12:50:38 UTC · 8 stars
CVE-2025-29927에 대한 설명 및 리서치
github · Created 2025-03-27 11:48:35 UTC · 0 stars
github · Created 2025-03-27 10:06:07 UTC · 0 stars
github · Created 2025-03-27 08:42:03 UTC · 1 stars
next.js CVE-2025-29927 vulnerability exploit
github · Created 2025-03-27 07:41:26 UTC · 0 stars
Este script verifica la vulnerabilidad CVE-2025-29927 en servidores Next.js, probando múltiples cargas en la cabecera x-middleware-subrequest para detectar accesos no autorizados.
github · Created 2025-03-26 19:08:14 UTC · 0 stars
Next.js Acceso no autorizado CVE-2025-29927
github · Created 2025-03-25 22:36:14 UTC · 0 stars
github · Created 2025-03-25 18:02:18 UTC · 3 stars
script to check cve "CVE-2025-29927" while waiting to add it to HExHTTP
github · Created 2025-03-25 11:39:14 UTC · 0 stars
PowerShell script to test if a web app is vulnerable to CVE-2025-29927
github · Created 2025-03-25 10:30:55 UTC · 0 stars
PoC for CVE-2025-29927: Next.js Middleware Bypass Vulnerability. Demonstrates how x-middleware-subrequest can bypass authentication checks. Includes Docker setup for testing.
github · Created 2025-03-25 07:15:36 UTC · 0 stars
github · Created 2025-03-25 02:20:36 UTC · 0 stars
Critical vulnerability in next.js : Bypass middleware authentication
github · Created 2025-03-24 23:13:43 UTC · 0 stars
Sigma Rule for CVE-2025–29927 Detection
github · Created 2025-03-24 19:18:20 UTC · 3 stars
Async Python scanner for Next.js CVE-2025-29927. Uses aiohttp & aiofiles to efficiently process large URL lists, detect vulnerabilities, and save results. Features connection pooling, caching, and chunked processing for fast performance
github · Created 2025-03-24 19:13:35 UTC · 0 stars
A deliberately Next.js app, vulnerable to CVE-2025-29927, Authorization Bypass
github · Created 2025-03-24 15:25:22 UTC · 1 stars
github · Created 2025-03-24 13:27:13 UTC · 2 stars
Next.js Middleware Auth Bypass
github · Created 2025-03-24 13:23:46 UTC · 2 stars
CVE-2025-29927 Authorization Bypass in Next.js Middleware
github · Created 2025-03-24 11:42:14 UTC · 3 stars
CVE-2025-29927 Proof of Concept
github · Created 2025-03-24 09:27:03 UTC · 0 stars
Next.Js 权限绕过漏洞(CVE-2025-29927)
github · Created 2025-03-24 05:07:02 UTC · 4 stars
CVE-2025-29927 Exploit Checker
github · Created 2025-03-23 21:42:09 UTC · 9 stars
Authorization Bypass in Next.js Middleware
github · Created 2025-03-23 19:41:05 UTC · 8 stars
Proof-of-Concept for Authorization Bypass in Next.js Middleware
github · Created 2025-03-23 16:04:50 UTC · 0 stars
github · Created 2025-03-23 12:13:35 UTC · 70 stars
CVE-2025-29927 Proof of Concept
github · Created 2025-03-23 09:22:35 UTC · 4 stars
github · Created 2025-03-23 08:11:09 UTC · 12 stars
A Nuclei template to detect CVE-2025-29927 the Next.js authentication bypass vulnerability
github · Created 2025-03-22 18:42:27 UTC · 5 stars
Next.js Middleware Authorization Bypass
nuclei · Created Unknown
Timeline
Key exploitation, disclosure, scanner coverage, and KEV attestation events for this CVE.
-
14:29 UTC 7 months ago14:29 UTC · 7 months ago
Added to KEVIntel KEV Feed
High-confidence, third-party attested exploitation
-
00:00 UTC about 1 year ago00:00 UTC · about 1 year ago
Nuclei template available
Scanner coverage available
-
02:31 UTC over 1 year ago02:31 UTC · over 1 year ago
Public PoC available
Public proof-of-concept code published
-
14:34 UTC over 1 year ago14:34 UTC · over 1 year ago
CVE published
Vulnerability disclosed publicly
-
13:42 UTC over 1 year ago13:42 UTC · over 1 year ago
CVE ID reserved
Identifier reserved by the CNA
Automate This Intelligence with the Pro API
Confidence scoring, exploit status, sensor telemetry, PoCs, scanner integrations, mentions, and tags are available programmatically for VM, SOC, and CTI workflows.
Pro API Example
GET /api/v2/pro/kevs/CVE-2025-29927
{
"cve_id": "CVE-2025-29927",
"title": "Authorization Bypass in Next.js Middleware",
"affected_vendor": "vercel",
"affected_product": "next.js",
"affected_versions": [
{ "vendor": "...", "product": "...", "status": "affected", "display_label": "..." }
],
"confidence": "High",
"cvss_score": 9.1,
"epss_score": null,
"exploit_status": {
"exploited_in_the_wild": true,
"active_exploitation_observed": false
},
"sensor_telemetry": { "...": "Pro API fields" },
"proof_of_concepts": [ "..." ],
"scanner_integrations": [ "..." ]
}