CVE-2025-29927
high-risk
Published 2025-03-21
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Do I need to act?
!
93.0% chance of exploitation in next 30 days
EPSS score — higher than 7% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.1/10
Critical
NETWORK
/ LOW complexity
Affected Products (1)
Affected Vendors
References (8)
Release Notes
https://github.com/vercel/next.js/releases/tag/v12.3.5
Release Notes
https://github.com/vercel/next.js/releases/tag/v13.5.9
Third Party Advisory
https://security.netapp.com/advisory/ntap-20250328-0002/
56
/ 100
high-risk
Severity
31/34 · Critical
Exploitability
20/34 · Moderate
Exposure
5/34 · Minimal