Detections
Analytics
Next.js 14.x < 14.2.25 Authorization Bypass
critical Web App Scanning Plugin ID 114682
Language:
Synopsis
Next.js 14.x < 14.2.25 Authorization BypassDescription
The version of Next.js installed on the remote host is 11.1.4 prior to 12.3.5, 13.0.x prior to 13.5.9, 14.x prior to 14.2.25 or 15.x prior to 15.2.3. It is, therefore, affected by Authorization Bypass if the authorization check occurs in middleware.Note that the scanner has not attempted to exploit this issue but has instead relied only on application's self-reported version number.
Solution
Upgrade to Next.js version 14.2.25 or later.See Also
https://nextjs.org/blog/cve-2025-29927
https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware
Plugin Details
Severity: Critical
ID: 114682
Type: remote
Family: Component Vulnerability
Published: 3/24/2025
Updated: 3/24/2025
Scan Template: basic, full, pci, scan
Risk Information
VPR
Risk Factor: High
Score: 8.8
CVSS v2
Risk Factor: High
Base Score: 9.4
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N
CVSS Score Source: CVE-2025-29927
CVSS v3
Risk Factor: Critical
Base Score: 9.1
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS Score Source: CVE-2025-29927
Vulnerability Information
CPE: cpe:2.3:a:vercel:next.js:*:*:*:*:*:*:*:*
Exploit Available: true
Exploit Ease: Exploits are available
Vulnerability Publication Date: 3/20/2025
Reference Information
CVE: CVE-2025-29927
CWE: 285
OWASP: 2010-A4, 2013-A4, 2013-A9, 2017-A5, 2017-A9, 2021-A6
WASC: Insufficient Authorization
CAPEC: 1, 104, 127, 13, 17, 39, 402, 45, 5, 51, 59, 60, 647, 668, 76, 77, 87
DISA STIG: APSC-DV-000500, APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a)(1), 164.312(a)(2)(i)
ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.14.2.5, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5
NIST: sp800_53-AC-3, sp800_53-CM-6b
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-14.2.1, 4.0.2-4.1.3