{"id":3351,"date":"2025-03-25T07:38:58","date_gmt":"2025-03-25T07:38:58","guid":{"rendered":"https:\/\/certera.com\/blog\/?p=3351"},"modified":"2025-05-12T05:46:17","modified_gmt":"2025-05-12T05:46:17","slug":"the-critical-severity-vulnerability-in-the-next-js-framework-cve-2025-29927","status":"publish","type":"post","link":"https:\/\/certera.com\/blog\/the-critical-severity-vulnerability-in-the-next-js-framework-cve-2025-29927\/","title":{"rendered":"The Critical Severity Vulnerability in the Next.js Framework (CVE-2025-29927)"},"content":{"rendered":"\n

One of the most famous JavaScript frameworks, \u201cNext.Js,\u201d has critical security with a CVE base score of 9.1 by NIST<\/a>. Next.js is a React framework that provides a structured approach and additional features for building web applications, including server-side rendering and static site generation, built on top of the React library.<\/p>\n\n\n\n

The framework is used by Big tech companies and even small startups because of its performance, scalability, and developer-friendly features.<\/p>\n\n\n\n

The security researcher Rachid<\/a> discovered a critical vulnerability in the Next.js Middleware. This vulnerability allows authentication bypass, DOS (Denial of Server), and Cache poising with maliciously crafted URLs.<\/p>\n\n\n\n

The framework has 131K stars<\/strong> on GitHub<\/a> and is currently downloaded + 9,4 million<\/strong> times per week. The following Next.js version is vulnerable to this vulnerability. <\/p>\n\n\n\n

If your organization uses it, upgrade it to the corresponding patched version.<\/strong><\/p>\n\n\n\n

    \n
  1. For Next.js 15.x,<\/strong> this issue is fixed in 15.2.3.<\/strong><\/li>\n\n\n\n
  2. For Next.js 14.x,<\/strong> this issue is fixed in 14.2.25.<\/strong><\/li>\n\n\n\n
  3. All Next.js versions starting from 11.1.4<\/strong> up to and including 13.5.6<\/strong> are affected by this vulnerability.<\/li>\n<\/ol>\n\n\n\n

    How does this Vulnerability Occur?<\/h2>\n\n\n\n

    To understand the technicality of this vulnerability, you first have to understand Middleware. According to the Next.js documentation<\/a>, Middleware allows you to run code before a request is completed. <\/p>\n\n\n\n

    Then, based on the incoming request, you can modify the response by rewriting, redirecting, modifying the request or response headers, or responding directly. Middleware runs before cached content and routes are matched.<\/p>\n\n\n\n

    In simple words, Middleware acts as a checkpoint for your website. Before a request reaches the final destination (like your homepage or a product page), middleware checks the request and decides what to do next. Middleware helps you customize how requests are handled, making your site faster, safer, and more flexible.<\/p>\n\n\n\n

    Another main job of the  Middleware is access control. It checks for Authentication & Authorization and verifies their session before letting them in.<\/p>\n\n\n\n

    For Example, A user tries to visit\u00a0 \/<Your web app>\/dashboard\/admin<\/strong>. Middleware jumps in and checks if they\u2019re logged in and have the correct permissions. If yes, allow them through if everything is good; otherwise, redirect them to the login page if they don\u2019t have access.<\/p>\n\n\n\n

    The Security Issue in Next.js<\/h2>\n\n\n\n

    The Next.js framework middleware checks a special header in the web requests called x-middleware-subrequest <\/strong>to decide whether it should run. If this header contains the middleware\u2019s name, the middleware is ignored, and the request moves forward. Apart from this, the Middleware\u2019s name is predictable. <\/p>\n\n\n\n

    The files had to be named _middleware.ts and placed inside the pages\/ folder. The attacker can bypass the middleware and the login mechanism by chaining them together. <\/p>\n\n\n\n

    Here is how it is if a request needs to pass through middleware at \/dashboard\/panel\/admin<\/strong>, an attacker has three possible values for the x-middleware-subrequest header.<\/p>\n\n\n\n