#VU105939 Improper authorization in Next.js - CVE-2025-29927

Cybersecurity Help s.r.o.

Published: 2025-03-21 | Updated: 2025-04-11

Vulnerability identifier: #VU105939

Vulnerability risk: High

CVSSv4.0: 8.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2025-29927

CWE-ID: CWE-285

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Next.js
Server applications / Frameworks for developing and running applications

Vendor: Zeit

Description

The vulnerability allows a remote attacker to bypass authorization process.

The vulnerability exists due to missing authorization checks. A remote attacker can bypass authorization mechanism and compromise the affected application.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Next.js: 12.0.0 - 12.0.10, 12.1.0 - 12.1.6, 12.2.0 - 12.2.6, 12.3.0 - 12.3.4, 13.0.0 - 13.0.7, 13.1.0 - 13.1.6, 13.2.0 - 13.2.4, 13.3.0 - 13.3.4, 13.4.0 - 13.4.19, 13.5.0 - 13.5.8, 14.0.0 - 14.0.4, 14.1.0 - 14.1.4, 14.2.0 - 14.2.24, 15.0.0 - 15.0.4, 15.1.0 - 15.1.7, 15.2.0 - 15.2.2

External links
https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw
https://github.com/vercel/next.js/releases/tag/v13.5.9

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Authorization bypass in Next.js