On March 21, 2025, a security advisory was published regarding CVE-2025-29927, a critical vulnerability in Next.js middleware that permits unauthorized access by exploiting a specific internal header. This issue affects multiple versions of Next.js and poses risks of bypassing middleware security measures. Organizations utilizing affected versions are urged to update immediately to prevent potential data exposure or unauthorized access. Affected: Next.js applications
Keypoints :
- CVE-2025-29927 allows authorization bypass in Next.js middleware.
- Impacted versions include Next.js prior to 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
- Attackers can exploit this vulnerability by sending specially-crafted HTTP requests with the header x-middleware-subrequest.
- The vulnerability raises concerns regarding bypassing critical security checks and accessing sensitive content.
- Immediate remediation involves upgrading Next.js or implementing temporary mitigations.
- Scanning activity for this vulnerability is currently low, with numerous payloads resembling normal activity.
- Datadog offers tools for identifying vulnerable services and mitigating the risk.
MITRE Techniques :
- TA0001: Initial Access – Exploitation of the CVE-2025-29927 vulnerability through HTTP requests.
- TA0002: Execution – Sending a crafted request to execute commands indirectly via the vulnerable middleware.
Indicator of Compromise :
- [IP Address] 134.122.111.207
- [IP Address] 139.162.130.199
- [IP Address] 172.104.149.38
- [User-Agent] Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
- [User-Agent] python-requests/2.28.1
Full Story: https://securitylabs.datadoghq.com/articles/nextjs-middleware-auth-bypass/