CVE-2025-29927

Description

# Impact It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. # Patches * For Next.js 15.x, this issue is fixed in `15.2.3` * For Next.js 14.x, this issue is fixed in `14.2.25` * For Next.js 13.x, this issue is fixed in 13.5.9 * For Next.js 12.x, this issue is fixed in 12.3.5 * For Next.js 11.x, consult the below workaround. _Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability._ # Workaround If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the `x-middleware-subrequest` header from reaching your Next.js application. ## Credits - Allam Rachid (zhero;) - Allam Yasser (inzo_)

How to fix CVE-2025-29927

To remediate CVE-2025-29927, upgrade the affected package to a fixed version below.

• —upgrade to 13.5.9 or later

Is CVE-2025-29927 being exploited?

Likely — EPSS is 92.1%, placing CVE-2025-29927 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

• >= 13.0.0, < 13.5.9

CVSS scores

References (11)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-29927
• PATCHgithub.com/vercel/next.js
• WEBgithub.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2
• WEBgithub.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48