9.1
CVE-2025-29927
- EPSS 99.3%
- Veröffentlicht 21.03.2025 14:34:49
- Zuletzt bearbeitet 10.09.2025 15:49:40
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Authorization Bypass in Next.js Middleware
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 99.3% | 0.999 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 9.1 | 3.9 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
|
CWE-285 Improper Authorization
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-863 Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw
http://www.openwall.com/lists/oss-security/2025/03/23/3
http://www.openwall.com/lists/oss-security/2025/03/23/4
https://security.netapp.com/advisory/ntap-20250328-0002/
https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2
https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48
https://github.com/vercel/next.js/releases/tag/v12.3.5
https://github.com/vercel/next.js/releases/tag/v13.5.9