Critical Next.js Flaw (CVE-2025-29927) Allows Access Control Bypass in Multiple Versions

A critical vulnerability has been discovered in applications built with Next.js, enabling unauthorized bypass of access controls. The issue affects versions ranging from 11.1.4 to 13.5.6, as well as early releases in the 14.x and 15.x branches.

Identified as CVE-2025-29927, and assigned a CVSS severity score of 9.1, the flaw stems from improper handling of the x-middleware-subrequest header within middleware logic. If authorization is implemented at this level, an attacker can craft a specially designed request to circumvent all access checks.

Exploitation of the vulnerability requires neither elevated privileges nor user interaction, nor does it involve complex techniques. The attack can be carried out remotely over the network and may lead to the exposure of sensitive data and compromise of system integrity.

The flaw has been addressed in version 15.2.3, while the 14.x branch has been secured with update 14.2.25. No patches have been released for earlier versions, including all between 11.1.4 and 13.5.6. For those versions, the recommended mitigation is to block external HTTP requests containing the x-middleware-subrequest header at the proxy or firewall level.

Applications deployed via the Vercel platform are not affected by this vulnerability due to inherent platform safeguards. All other users are strongly advised to take immediate remedial action—either by upgrading to a secure version or by implementing request filtering mechanisms to intercept malicious traffic.

The vulnerability is classified as an access control flaw (CWE-285). While it does not impact system availability, it poses significant risks to the confidentiality and integrity of affected systems. Despite the absence of a direct denial-of-service (DoS) vector, the potential for unauthorized access to protected resources renders this vulnerability critically severe.