Authorization Bypass in Next.js Middleware

GHSA-f82v-jwr5-mffw · CVE-2025-29927

Published Mar 21, 2025 · Modified Mar 4, 2026

Description

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

For Next.js 15.x, this issue is fixed in 15.2.3
For Next.js 14.x, this issue is fixed in 14.2.25
For Next.js 13.x, this issue is fixed in 13.5.9
For Next.js 12.x, this issue is fixed in 12.3.5
For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

Allam Rachid (zhero;)
Allam Yasser (inzo_)

References

WEB https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-29927
WEB https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2
WEB https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48
PACKAGE https://github.com/vercel/next.js
WEB https://github.com/vercel/next.js/releases/tag/v12.3.5
WEB https://github.com/vercel/next.js/releases/tag/v13.5.9
WEB https://security.netapp.com/advisory/ntap-20250328-0002
WEB https://vercel.com/changelog/vercel-firewall-proactively-protects-against-vulnerability-with-middleware
WEB http://www.openwall.com/lists/oss-security/2025/03/23/3
WEB http://www.openwall.com/lists/oss-security/2025/03/23/4

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes