Summary
| Vulnerability Name | Authentication Bypass in Next.js Middleware (CVE-2025-29927) |
|---|---|
| Released on | March 24, 2025 |
| Affected Component | Next.js |
| Affected Versions | 11.1.4 < Next.js ≤ 13.5.6 14.0 < Next.js < 14.2.25 15.0 < Next.js < 15.2.3 |
| Vulnerability Type | Authentication bypass |
| Exploitation Condition |
|
| Impact | Exploitation difficulty: easy. Attackers can bypass authentication. Severity: high. Attackers can perform unauthorized operations. |
| Official Solution | Available |
About the Vulnerability
Component Introduction
Next.js an open source React framework, aiming to provide developers with tools to create high-performance and scalable web applications.
Vulnerability Description
On March 24, 2025, Sangfor FarSight Labs received notification of the authentication bypass vulnerability in Next.js middleware (CVE-2025-29927), classified as high in threat level.
This vulnerability enables unauthenticated attackers to bypass the authentication checks of Next.js applications if the authentication checks occur in the middleware. Consequently, data leakage, unauthorized operations, and service interruptions may be caused.
Affected Versions
The following Next.js versions are affected:
11.1.4 < Next.js ≤ 13.5.6
14.0 < Next.js < 14.2.25
15.0 < Next.js < 15.2.3
Vulnerability Reproduction
Sangfor FarSight Labs has reproduced the vulnerability.
Solutions
Version Check
Open a terminal or command prompt window in the root directory of the project, and run the npx next -v command to view the version information, as shown in the following figure.
Remediation Solutions
Temporary Solution
Prevent the external user requests containing the x-middleware-subrequest header from reaching the Next.js application.
Official Solution
The latest version has been officially released to fix the vulnerability. Affected users are advised to update the Next.js version to 14.2.25 or 15.2.3.
Download link: https://github.com/vercel/next.js/releases
Sangfor Solutions
Risky Asset Discovery
The following Sangfor services can conduct proactive detection on Next.js applications to discover affected assets in batches in business scenarios:
Sangfor Host Security: The corresponding asset discovery solution has already been released. The rule ID is 0031703.
Sangfor TSS: The corresponding asset discovery solution has already been released. The rule ID is 0031703.
Vulnerability Detection
The following Sangfor services can proactively detect CVE-2025-29927 vulnerabilities and quickly identify vulnerability risks in batches:
Sangfor Host Security: The corresponding detection solution will be released on March 31, 2025. The rule ID is SF-2025-00242.
Sangfor TSS: The corresponding detection solution will be released on March 30, 2025. The rule ID is SF-2025-00241.
Sangfor Cyber Guardian Platform: The corresponding detection solution will be released on March 30, 2025. The rule ID is SF-2025-00241. In this case, make sure that Sangfor Cyber Guardian Platform is integrated with Sangfor TSS.
Sangfor XDR: The corresponding detection solution will be released on March 31, 2025. The rule ID is SF-2025-00242. In this case, make sure that Sangfor XDR is integrated with Sangfor Host Security.
Vulnerability Monitoring
The following Sangfor services support CVE-2025-29927 vulnerability monitoring, and can quickly identify affected assets and the impact scope in business scenarios in real time through traffic collection:
Cyber Command: The corresponding monitoring solution will be released on April 03, 2025. The rule ID is 11027468.
Sangfor Cyber Guardian Platform: The corresponding monitoring solution will be released on April 03, 2025. The rule ID is 11027468. In this case, make sure that Sangfor Cyber Guardian Platform is integrated with Cyber Command.
Sangfor XDR: The corresponding monitoring solution will be released on April 03, 2025. The rule ID is 11027468.
Vulnerability Prevention
The following Sangfor services can effectively block CVE-2025-29927 exploits:
Network Secure: The corresponding prevention solution will be released on April 03, 2025. The rule ID is 11027468.
Sangfor Web Application Firewall: The corresponding prevention solution will be released on April 03, 2025. The rule ID is 11027468.
Sangfor Cyber Guardian Platform: The corresponding prevention solution will be released on April 03, 2025. The rule ID is 11027468. In this case, make sure that Sangfor Cyber Guardian Platform is integrated with Network Secure.
Sangfor XDR: The corresponding prevention solution will be released on April 03, 2025. The rule ID is 11027468. In this case, make sure that Sangfor XDR is integrated with Network Secure.
Timeline
On March 24, 2025, Sangfor FarSight Labs received notification of the authentication bypass vulnerability in Next.js middleware (CVE-2025-29927).
On March 24, 2025, Sangfor FarSight Labs released a vulnerability alert.
References
https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw
https://github.com/vercel/next.js/pull/77201
Learn More
Sangfor FarSight Labs researches the latest cyber threats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyber threats, providing fast and easy protection for customers.
