CVE-2025-29927: Authorization Bypass in Next.js Middleware

A critical vulnerability in Next.js (CVE-2025-29927) allows unauthorized access to protected routes by bypassing the middleware logic. The issue affects Next.js versions 11.1.4 to 13.5.6, and versions 14.x < 14.2.25 or 15.x < 15.2.3. To mitigate, upgrade to the latest fixed versions (14.2.25+ or 15.2.3+), or apply a firewall rule to block the x-middleware-subrequest header.

Name		Name	Last commit message	Last commit date
Latest commit History 3 Commits
.github/workflows		.github/workflows
src/pages		src/pages
.gitignore		.gitignore
README.md		README.md
middleware.js		middleware.js
package-lock.json		package-lock.json
package.json		package.json

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

CVE-2025-29927: Authorization Bypass in Next.js Middleware

About

Uh oh!

Releases

Packages

Uh oh!

Uh oh!

Contributors

Uh oh!

Languages

Folders and files

Latest commit

History

Repository files navigation

CVE-2025-29927: Authorization Bypass in Next.js Middleware

About

Resources

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Uh oh!

Contributors

Uh oh!

Languages

Packages