VYPR
Critical severityNVD Advisory· Published Mar 21, 2025· Updated Apr 8, 2025

Authorization Bypass in Next.js Middleware

CVE-2025-29927

Description

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
nextnpm
>= 13.0.0, < 13.5.913.5.9
nextnpm
>= 14.0.0, < 14.2.2514.2.25
nextnpm
>= 15.0.0, < 15.2.315.2.3
nextnpm
>= 12.0.0, < 12.3.512.3.5

Affected products

8

Patches

Vulnerability mechanics

References

11

News mentions

4