GHSA-f82v-jwr5-mffw

Source

https://github.com/advisories/GHSA-f82v-jwr5-mffw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-f82v-jwr5-mffw/GHSA-f82v-jwr5-mffw.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-f82v-jwr5-mffw

Aliases

CVE-2025-29927

Related

CGA-89c9-9j8h-469g

Published

2025-03-21T15:20:12Z

Modified

2025-10-13T15:32:07Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Authorization Bypass in Next.js Middleware

Details

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

For Next.js 15.x, this issue is fixed in 15.2.3
For Next.js 14.x, this issue is fixed in 14.2.25
For Next.js 13.x, this issue is fixed in 13.5.9
For Next.js 12.x, this issue is fixed in 12.3.5
For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

Allam Rachid (zhero;)
Allam Yasser (inzo_)

Database specific

{
    "github_reviewed": true,
    "severity": "CRITICAL",
    "cwe_ids": [
        "CWE-285",
        "CWE-863"
    ],
    "nvd_published_at": "2025-03-21T15:15:42Z",
    "github_reviewed_at": "2025-03-21T15:20:12Z"
}

References