vercel Next.js up to 14.2.24/15.2.2 Header x-middleware-subrequest improper authorization
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.8 | $0-$5k | 0.15 |
Summary
A vulnerability, which was classified as critical, was found in vercel Next.js up to 14.2.24/15.2.2. Affected is an unknown function of the component Header Handler. Such manipulation of the argument x-middleware-subrequest leads to improper authorization. This vulnerability is documented as CVE-2025-29927. The attack can be executed remotely. Additionally, an exploit exists. You should upgrade the affected component.
Details
A vulnerability was found in vercel Next.js up to 14.2.24/15.2.2 and classified as critical. Affected by this issue is some unknown functionality of the component Header Handler. The manipulation of the argument x-middleware-subrequest with an unknown input leads to a improper authorization vulnerability. Using CWE to declare the problem leads to CWE-285. The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. Impacted is confidentiality, integrity, and availability. CVE summarizes:
Next.js is a React framework for building full-stack web applications. Prior to 14.2.25 and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 14.2.25 and 15.2.3.
The advisory is shared for download at github.com. This vulnerability is handled as CVE-2025-29927 since 03/12/2025. The exploitation is known to be easy. The attack may be launched remotely. No form of authentication is required for exploitation. Technical details as well as a public exploit are known. The MITRE ATT&CK project declares the attack technique as T1548.002.
The exploit is available at exploit-db.com. It is declared as proof-of-concept.
Upgrading to version 14.2.25 or 15.2.3 eliminates this vulnerability.
The vulnerability is also documented in the databases at Exploit-DB (52124) and CERT Bund (WID-SEC-2025-0627). Once again VulDB remains the best source for vulnerability data.
Affected
- Vercel Next.js
Product
Type
Vendor
Name
Version
- 14.2.0
- 14.2.1
- 14.2.2
- 14.2.3
- 14.2.4
- 14.2.5
- 14.2.6
- 14.2.7
- 14.2.8
- 14.2.9
- 14.2.10
- 14.2.11
- 14.2.12
- 14.2.13
- 14.2.14
- 14.2.15
- 14.2.16
- 14.2.17
- 14.2.18
- 14.2.19
- 14.2.20
- 14.2.21
- 14.2.22
- 14.2.23
- 14.2.24
- 15.2.0
- 15.2.1
- 15.2.2
Website
- Product: https://github.com/vercel/next.js/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 8.2VulDB Meta Temp Score: 7.8
VulDB Base Score: 7.3
VulDB Temp Score: 6.6
VulDB Vector: 🔍
VulDB Reliability: 🔍
CNA Base Score: 9.1
CNA Vector (GitHub_M): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Improper authorizationCWE: CWE-285 / CWE-266
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Proof-of-Concept
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Exploit-DB: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Next.js 14.2.25/15.2.3
Timeline
03/12/2025 🔍03/21/2025 🔍
03/21/2025 🔍
01/04/2026 🔍
Sources
Product: github.comAdvisory: GHSA-f82v-jwr5-mffw
Status: Confirmed
CVE: CVE-2025-29927 (🔍)
GCVE (CVE): GCVE-0-2025-29927
GCVE (VulDB): GCVE-100-300596
CERT Bund: WID-SEC-2025-0627 - Vercel Next.js: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen
scip Labs: https://www.scip.ch/en/?labs.20161013
Entry
Created: 03/21/2025 16:34Updated: 01/04/2026 21:19
Changes: 03/21/2025 16:34 (67), 04/07/2025 11:18 (11), 09/10/2025 18:01 (1), 01/04/2026 21:19 (7)
Complete: 🔍
Cache ID: 216::103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.