A critical security vulnerability has been identified in the Next.js React framework, tracked as CVE-2025-29927, with a high CVSS score of 9.1. This flaw allows attackers to bypass authorization checks under specific conditions, posing a significant risk to systems using the affected versions. The vulnerability is particularly concerning for self-hosted Next.js applications using "next start" with "output: standalone," as it enables unauthorized access to sensitive web pages, such as admin panels, by skipping middleware checks.
The vulnerability arises from the misuse of the internal header x-middleware-subrequest, which is intended to prevent recursive requests from causing infinite loops. However, it can be exploited to bypass critical authorization checks, allowing unauthorized requests to reach protected routes. This issue does not affect Next.js applications hosted on Vercel and Netlify or those deployed as static exports.
The flaw has been addressed in the latest releases of Next.js versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3. Users are urged to update to these versions immediately to mitigate the risk. For those unable to patch, it is advised to block external requests containing the x-middleware-subrequest header from reaching the application. Security researcher Rachid Allam, who discovered the flaw, has published detailed technical information, emphasizing the urgency of applying these fixes.
CVE-2025-29927 is a critical vulnerability in the Next.js framework that allows attackers to bypass authorization checks by exploiting the x-middleware-subrequest header. This flaw can lead to unauthorized access to sensitive areas of a website, such as admin pages, potentially resulting in data breaches or unauthorized data manipulation. The vulnerability primarily affects self-hosted Next.js applications using "next start" with "output: standalone."
The potential impact of this vulnerability is significant, as it could allow attackers to gain access to high-privilege areas without proper authorization checks. This could lead to operational disruptions, data breaches, and financial losses for affected organizations. The vulnerability does not affect applications hosted on Vercel and Netlify or those deployed as static exports.
Clients using self-hosted Next.js applications with the specified configurations are at risk of unauthorized access to sensitive web pages. This could result in operational disruptions, data breaches, and potential financial losses due to unauthorized data access or manipulation. Additionally, organizations may face reputation damage if sensitive information is exposed or misused.
From a compliance perspective, this vulnerability could lead to regulatory challenges if unauthorized access results in data breaches involving personally identifiable information (PII) or other sensitive data. Organizations may be subject to audits or penalties if they fail to address this vulnerability promptly.
To mitigate the risks associated with CVE-2025-29927, clients should take the following actions:
By taking these steps, clients can significantly reduce the risk of exploitation and protect their systems from unauthorized access. It is crucial to remain vigilant and proactive in applying security updates and monitoring system activity.
1898 & Co is actively addressing the current threat landscape by offering specialized services and solutions tailored to mitigate emerging threats like CVE-2025-29927. Our team is focused on providing thorough security assessments and implementing robust security measures for clients using vulnerable frameworks.
We are updating our security protocols and practices to incorporate the latest threat intelligence and ensure our clients are protected against new vulnerabilities. Our collaborative efforts with industry allies and government agencies enhance our ability to provide timely and effective security solutions.
Our ongoing research and threat intelligence gathering activities enable us to stay ahead of potential threats and offer clients cutting-edge security strategies. We have successfully assisted clients in mitigating similar vulnerabilities through comprehensive security audits and tailored remediation plans.