CVE-2025-29927

Medienbericht

EPSS 92.55%
Veröffentlicht 21.03.2025 14:34:49
Zuletzt bearbeitet 10.09.2025 15:49:40
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Authorization Bypass in Next.js Middleware

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 13

NVD 4 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vercel ≫ Next.Js SwPlatformnode.js Version >= 11.1.4 < 12.3.5

Vercel ≫ Next.Js SwPlatformnode.js Version >= 13.0.0 < 13.5.9

Vercel ≫ Next.Js SwPlatformnode.js Version >= 14.0.0 < 14.2.25

Vercel ≫ Next.Js SwPlatformnode.js Version >= 15.0.0 < 15.2.3

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	92.55%	0.997

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://thehackernews.com/2026/05/pcpjack-credential-stealer-exploits-5.html

Media Report

https://www.bleepingcomputer.com/news/security/new-pcpjack-worm-steals-credentials-cleans-teampcp-infections/

Media Report

https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw

Vendor Advisory

http://www.openwall.com/lists/oss-security/2025/03/23/3

Third Party Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2025/03/23/4

Mailing List

https://security.netapp.com/advisory/ntap-20250328-0002/