复制
id: CVE-2025-29927-HEADLESS
info:
name: Next.js Middleware Authorization Bypass
author: ademking
severity: critical
description: |
A critical vulnerability in Next.js middleware allows attackers to bypass authorization checks by manipulating the x-middleware-subrequest header. This flaw affects Next.js versions prior to 14.2.25 and 15.2.3, potentially granting unauthorized access to sensitive resources.
reference:
- https://github.com/advisories/GHSA-f82v-jwr5-mffw
- https://nvd.nist.gov/vuln/detail/CVE-2025-29927
- https://www.tenable.com/cve/CVE-2025-29927
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
cvss-score: 9.1
cve-id: CVE-2025-29927
cwe-id: CWE-285
epss-score: 0.92084
epss-percentile: 0.99697
metadata:
vendor: vercel
product: Next.js
framework: node.js
tags: cve,cve2025,headless,nextjs,vkev
headless:
- steps:
- args:
url: "{{BaseURL}}"
action: navigate
- action: waitstable
- action: script
name: nextjs_version
args:
code: |
() => {
if (!window.next || !window.next.version) {
return "";
}
return window.next.version;
}
extractors:
- type: dsl
part: nextjs_version
dsl:
- '"Vulnerable Next.js => " + nextjs_version'
matchers:
- type: dsl
dsl:
- "compare_versions(nextjs_version, '>= 11.1.4', '<= 13.5.6')"
- "compare_versions(nextjs_version, '> 14.0.0', '< 14.2.25')"
- "compare_versions(nextjs_version, '> 15.0.0', '< 15.2.3')"
condition: or
# digest: 490a004630440220502a4f212e21f086a558ff74afed4ac722c76bcfc5c8fec2f0d80c5eec3e4a5c02204c73a4dbd7b0a8965cc62ca9a1e1a06c2fa81e43f2b3155d79bc6e4adc432c65:922c64590222798bb761d5b6d8e72950