Home > Cyber News > CVE-2025-29927: Critical Next.js Flaw Enables Authorization Bypass
CYBER NEWS

CVE-2025-29927: Critical Next.js Flaw Enables Authorization Bypass

by   |  Last Update:  |  0 Comments  

A newly disclosed vulnerability in the Next.js React framework has been assigned a CVSS score of 9.1, marking it as a critical security risk. Tracked as CVE-2025-29927, the flaw can be exploited under specific conditions to bypass middleware-based authorization checks, potentially allowing unauthorized access to privileged resources.

The issue stems from how Next.js handles the x-middleware-subrequest header, which is internally used to prevent infinite request loops. If manipulated, this header can be used to skip middleware execution, letting attackers bypass cookie-based authorization checks before reaching sensitive routes.

CVE-2025-29927: Critical Next.js Flaw Enables Authorization Bypass

Security researcher Rachid Allam (also known as zhero and cold-try), who discovered the flaw, has published technical details, making it crucial for developers to act quickly.

Patch for CVE-2025-29927 Available for Multiple Versions

The Next.js team has addressed the vulnerability in the following versions:

  • 12.3.5
  • 13.5.9
  • 14.2.25
  • 15.2.3




Users who cannot immediately update are advised to >block any external requests containing the x-middleware-subrequest header from reaching their applications to reduce exposure.

Risk to Middleware-Only Authorization

According to JFrog, any application relying solely on middleware for user authorization without layered security measures is vulnerable. Attackers can exploit this flaw to gain access to pages reserved for administrators or users with elevated privileges—making it a serious concern for web applications handling sensitive data.

In light of the detailed disclosure and active interest in this vulnerability, developers are urged to apply the latest patches or adopt mitigation strategies as soon as possible.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Related posts:
  1. Ubuntu Local Authorization Bypass Bug Likely to Never Be Fixed? It was just reported that a bug filed on Ubuntu...
  2. CVE-2025-21415: Critical Flaw in Azure AI Face Service Microsoft has addressed two critical security vulnerabilities that posed potential...
  3. CVE-2021-44757: Authentication Bypass Flaw in Zoho Desktop Central An authentication bypass vulnerability was recently identified and patched in...
  4. CVE-2022-31656: Critical VMware Authentication Bypass Vulnerability VMware recently released another set of patches addressing a number...
  5. CVE-2022-2884: Critical GitLab Vulnerability Enables Remote Code Execution GitLab revealed a critical vulnerability for branches 15.1, 15.2, and...
  6. HTTP/2 Flaw Puts Web Servers at Risk of DoS Attacks [CVE-2024-27983] A new research conducted by security expert Bartek Nowotarski has...
  7. Google Workspace Design Flaw Enables Hacker Access to APIs A critical design flaw in Google Workspace’s domain-wide delegation (DWD)...
  8. CVE-2021-35394 in Realtek Jungle SDK Enables Attacks against IoT Devices CVE-2021-35394 is a critical, remote code execution security vulnerability that...

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree