On March 21, 2025, an authentication bypass vulnerability in Vercel’s Next.js framework, identified as CVE-2025-29927, was disclosed. This article outlines the threat posed by the CVE-2025-29927 vulnerability in Next.js middleware, analyzes exposed instances affected by the flaw, and provides mitigation strategies.
Overview of Next.js Middleware Authentication Bypass Vulnerability: CVE-2025-29927
A serious vulnerability was discovered in Next.js Middleware, where it fails to verify authentication correctly during the HTTP request process. It enables unauthorized users to gain access to protected resources, which pose a serious security risk.
According to the official report, the root cause is related to the beforeFiles routing logic in Next.js. Vercel has addressed the vulnerability in versions after v14.1.0-canary.35.
- Vulnerability ID: CVE-2025-29927
- Release Date: March 27, 2025
- Affected Version: Next.js versions earlier than 14.2.25
- Official Patched Version: Next.js versions 12.3.5, 13.5.9, 14.2.25, or 15.2.3
- CVSS Severity: High
Authentication Bypass in Next.js Middleware Using Criminal IP
The threat intelligence search engine Criminal IP can detect globally exposed Next.js instances by querying “X Powered By: Next.js”.
Criminal IP Search Query: “X Powered By: Next.js”
Criminal IP has detected a total of 528,421 assets with the HTTP header ‘X-Powered-By: Next.js’. Among these, a significant number were identified as vulnerable and affected by multiple CVEs.
Detailed Analysis of Next.js Assets and Vulnerabilities
In particular, the report page for the specific IP address below allows users to check its open ports, vulnerability status, and whether it is listed in the Exploit DB.
This IP address was identified as part of the Asset Search results and is potentially affected by the Next.js middleware vulnerability. Ports 80 and 443 are open, and one of the four associated vulnerabilities has a corresponding entry in the Exploit DB.
CVE-2023-44487 (HTTP/2 Rapid Reset) is among the known vulnerabilities detected on the server. This flaw allows attackers to rapidly create and cancel numerous HTTP/2 streams, which can exhaust server resources and potentially trigger a Distributed Denial-of-Service (DDoS) attack.
This has already been exploited in large-scale incidents, as confirmed by Cloudflare, Google, and AWS.
The Proof of Concept (PoC) for this vulnerability is already publicly accessible on GitHub, which means servers without proper security patches are at high risk of immediate exploitation. This shows that exposed assets with such flaws are not just potential threats, but practical risks that attackers can actively exploit.
Criminal IP enables real-time detection of large-scale web assets and can be leveraged to establish proactive defense and mitigation strategies against header-based attacks.
FAQ
Q1. What is Next.js?
Next.js is a React-based web framework that offers a wide range of features such as Server-Side Rendering (SSR), API routes, and image optimization. These capabilities have made it a popular choice among front-end developers.
Q2. What security risk does CVE-2025-29927 pose?
A flaw in the Next.js middleware prevents it from properly verifying authentication status, allowing unauthorized requests. This issue can enable unauthenticated access to protected pages or API endpoints.
Q3. How can you mitigate this issue?
Vercel recommends users update to versions 12.3.5, 13.5.9, 14.2.25, or 15.2.3. All affected versions require immediate patching.
Q4. How can exposed assets be identified?
Threat intelligence platforms like Shodan or Criminal IP can be leveraged to discover potentially vulnerable web assets by identifying those that contain the HTTP header “X-Powered-By: Next.js”.
Conclusion
Next.js is widely adopted across hundreds of thousands of web services globally, and the recently discovered CVE-2025-29927 vulnerability could have extensive global impacts. Criminal IP has detected hundreds of thousands of exposed services, highlighting the urgency for proactive mitigation.
Organizations operating Next.js-based systems must apply patches and conduct security checks. Criminal IP’s asset identification and real-time monitoring capabilities enable proactive threat mitigation, keeping organizations ahead of attackers.
In relation to this, you can refer toAnalysis of AMI MegaRAC BMC Vulnerability: Criminal IP-Based Detection Strategies.
Source: Criminal IP (https://www.criminalip.io/), BleepingComputer – (https://www.bleepingcomputer.com/news/security/critical-flaw-in-nextjs-lets-hackers-bypass-authorization/)
Related article :