CVE-2025-29927: Authentication Bypass in Next.js (Cross-platform)

Critical Security Vulnerability Affecting React-Based Web Applications

📌 Advisory Summary

Vulnerability Type: Authentication Bypass (CWE-287)

Affected Versions:

13.0.0 ≤ Next.js < 13.5.9

14.0.0 ≤ Next.js < 14.2.25

15.0.0 ≤ Next.js < 15.2.3

11.1.4 ≤ Next.js < 12.3.5

CVSSv3 Score: 9.1 (Critical) [AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N]

Attack Vector: Remote, unauthenticated

🚨 Impact

Successful exploitation could allow:
✓ Unauthorized access to protected routes/pages
✓ Bypass of API route authentication
✓ Access to sensitive user data

🛡️ Mitigation Steps

Immediate Action:

Upgrade to patched versions:

Next.js 13.5.9+

Next.js 14.2.25+

Next.js 15.2.3+

Next.js 12.3.5+

Temporary Measures:

// Implement server-side auth validation (Node.js middleware example) export function middleware(request) {  if (!request.nextauth?.user) {    return NextResponse.redirect(new URL('/login', request.url))  } }

Detection:

Monitor for unexpected access to protected routes

Audit next-auth or custom auth logs

⚙️ Technical Details

Root Cause: Improper session validation in getServerSideProps/middleware

Exploit Prerequisites: None (works on default configurations)

Bypass Method: [Details withheld per responsible disclosure]

📜 Vendor Response

The Next.js team has addressed this in:

GitHub Security Advisory

npm package updates

🔍 Additional Resources

MITRE CVE Entry

Next.js Documentation

#NextJS #WebSecurity #Authentication #CVE202529927 #React