Researchers have found a essential safety vulnerability in Subsequent.js that enables attackers to simply bypass middleware authorization measures. The vulnerability, designated CVE-2025-29927, was found by Rachid Allam and Yasser Allam and since assigned a base CVSS rating of 9.1. By skipping checks for authorization cookies, attackers can doubtlessly acquire entry to restricted areas of functions like admin instruments and dashboards. Due to the benefit of exploitation and excessive influence, this vulnerability poses a major threat to affected programs.
What’s CVE-2025-29927?
CVE-2025-29927 is a essential vulnerability in Subsequent.js, a well-liked React-based net framework, that was publicly disclosed in March 2025. It impacts self-hosted functions working variations 11.1.4 by way of 15.2.2 utilizing the subsequent begin command with output: ‘standalone’.
The vulnerability permits attackers to bypass authorization middleware by injecting a specifically crafted x-middleware-subrequest HTTP header, granting unauthorized entry to protected assets. With a CVSS rating of 9.1, this flaw poses a critical safety threat, significantly for functions that rely solely on middleware for entry management with out implementing further server-side authorization checks. Whereas deployments on platforms like Vercel or utilizing static exports are usually not affected, self-hosted situations have to be promptly up to date or reconfigured to mitigate potential exploitation.
Affected Variations and Fixes
CVE-2025-29927 impacts self-hosted Subsequent.js functions working variations 11.1.4 by way of 15.2.2, particularly when deployed utilizing the subsequent begin command with the output: ‘standalone’ configuration.
The vulnerability is current in environments the place functions rely solely on middleware-based authorization, with out implementing further server-side authentication or entry management mechanisms. A key situation for exploitation is the acceptance of the x-middleware-subrequest HTTP header from exterior sources, which can be utilized by attackers to trick the applying into bypassing middleware logic. Purposes deployed on Vercel, Netlify, or as static exports are usually not susceptible, as these environments don’t expose the middleware in a means that may be exploited. The problem has been patched within the following variations: 15.2.3, 14.2.25, 13.5.9, and 12.3.5, and all customers are strongly inspired to improve to those or later variations to mitigate the danger.
Steps to Remediate or Mitigate the Vulnerability
To handle CVE-2025-29927, take into account the next actions:
Replace Subsequent.js: Improve to the newest patched variations:For Subsequent.js 15.x, replace to model 15.2.3.For Subsequent.js 14.x, replace to model 14.2.25.For Subsequent.js 13.x, replace to model 13.5.9.For Subsequent.js 12.x, replace to model 12.3.5.Implement workarounds if fast patching is not attainable:Filter incoming requests: Configure load balancers or reverse proxies to take away the x-middleware-subrequest header from incoming requests.Net server configuration: For Nginx, use the proxy_set_header directive to set x-middleware-subrequest to an empty worth. In Apache, make the most of the RequestHeader unset directive to take away the header.Improve authorization mechanisms: Implement further server-side authorization checks past middleware to validate person permissions.Earlier Notable Vulnerabilities in Subsequent.js
Monitoring your belongings and distributors utilizing Subsequent.js is a vital a part of an ongoing safety program. Subsequent.js has disclosed a number of vulnerabilities previously and, like all software program, may have extra sooner or later. Examples of prior points– and causes to proceed monitoring for Subsequent.js vulnerabilities– embrace:
Denial of service (DoS) with server actions (January 2025): This vulnerability may very well be exploited to trigger service disruptions.Authorization bypass in Subsequent.js (December 2024): A high-severity flaw that allowed unauthorized entry underneath sure circumstances. HTTP request smuggling (Could 2024): This challenge might allow attackers to intrude with the processing of HTTP requests between shoppers and servers. 
Able to see Cybersecurity in motion?
Prepared to avoid wasting time and streamline your belief administration course of?
