CVE-2025-29927

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.

# Impact It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. # Patches * For Next.js 15.x, this issue is fixed in `15.2.3` * For Next.js 14.x, this issue is fixed in `14.2.25` * For Next.js 13.x, this issue is fixed in 13.5.9 * For Next.js 12.x, this issue is fixed in 12.3.5 * For Next.js 11.x, consult the below workaround. _Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability._ # Workaround If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the `x-middleware-subrequest` header from reaching your Next.js application. ## Credits - Allam Rachid (zhero;) - Allam Yasser (inzo_)

# Impact It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. # Patches * For Next.js 15.x, this issue is fixed in `15.2.3` * For Next.js 14.x, this issue is fixed in `14.2.25` * For Next.js 13.x, this issue is fixed in 13.5.9 * For Next.js 12.x, this issue is fixed in 12.3.5 * For Next.js 11.x, consult the below workaround. _Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability._ # Workaround If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the `x-middleware-subrequest` header from reaching your Next.js application. ## Credits - Allam Rachid (zhero;) - Allam Yasser (inzo_)

Next.js es un framework de React para crear aplicaciones web full-stack. En versiones anteriores a la 14.2.25 y la 15.2.3, era posible omitir las comprobaciones de autorización dentro de una aplicación Next.js si esta se realizaba en middleware. Si no es posible aplicar una versión segura, se recomienda evitar que las solicitudes de usuarios externos que contengan el encabezado "x-middleware-subrequest" lleguen a la aplicación Next.js. Esta vulnerabilidad se corrigió en las versiones 14.2.25 y 15.2.3.