CVE-2025-29927 Scanner

CVE-2025-29927 Scanner - Authorization Bypass vulnerability in Next.js

Short Info


Level

Critical

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

10 days 5 hours

Scan only one

URL

Toolbox

-

Next.js is a popular React framework used by developers to build server-side rendered and static web applications. It is widely adopted for creating dynamic websites and applications due to its performance optimization features and ease of use. Companies and developers across industries rely on Next.js for building scalable and secure web solutions. The middleware functionality in Next.js is critical for implementing security controls, routing, and other application logic.

The vulnerability identified in Next.js involves a middleware bypass that allows attackers to circumvent security controls by exploiting a specially crafted header, 'x-middleware-subrequest.' This bypass can lead to unauthorized access to protected resources and compromise the integrity of the application’s security mechanisms.

Technically, the vulnerability stems from improper handling of the 'x-middleware-subrequest' header within middleware logic, enabling attackers to bypass authorization checks. The affected versions include 11.1.4 through 15.2.2, where this flaw can be exploited by sending malicious requests containing the crafted header.

If exploited, this vulnerability could result in severe consequences such as unauthorized access to sensitive data, disruption of application functionality, or circumvention of critical security controls like authentication and authorization mechanisms.

REFERENCES

 

Get started to protecting your Free Full Security Scan