cbcvebase.
CVE-2025-29927
published 2025-03-21

CVE-2025-29927: Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it…

PriorityP193critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
99.62%
99.9th percentile
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.

Affected

21 ranges
VendorProductVersion rangeFixed in
astrojsvercel>= 0 < 10.0.210.0.2
nextnext>= 12.0.0 < 12.3.512.3.5
nextnext>= 12.3.5 < 12.3.612.3.6
nextnext>= 13.0.0 < 13.5.913.5.9
nextnext>= 13.5.9 < 13.5.1013.5.10
nextnext>= 14.0.0 < 14.2.2514.2.25
nextnext>= 14.2.25 < 14.2.2614.2.26
nextnext>= 15.0.0 < 15.2.315.2.3
nextnext>= 15.2.3 < 15.2.415.2.4
vercelnext.js
vercelnext.js
vercelnext.js
vercelnext.js
vercelnext.js
vercelnext.js
vercelnext.js
vercelnext.js
vercelnext.js>= 11.1.4 < 12.3.512.3.5
vercelnext.js>= 13.0.0 < 13.5.913.5.9
vercelnext.js>= 14.0.0 < 14.2.2514.2.25
vercelnext.js>= 15.0.0 < 15.2.315.2.3

Detection & IOCsextracted from sources · hover to see the quote

otherx-middleware-subrequest
filenamebootstrap.sh
filenamemonitor.py
filenamecheck.sh
pathscanner/http/nextjs_middleware_auth_bypass
  • Block or alert on any inbound HTTP request containing the 'x-middleware-subrequest' header before it reaches a Next.js application — this header is the sole mechanism for the CVE-2025-29927 auth bypass.
  • Hunt for the PCPJack persistence artefact 'sys-monitor.service' (systemd) and the working directory '/var/lib/.spm/' on Linux hosts as indicators of post-exploitation activity following CVE-2025-29927 exploitation.
  • Detect credential exfiltration to Telegram: look for outbound traffic where data is split into 2800-byte chunks and prefixed with a 🔒 emoji, encrypted with X25519 + ChaCha20-Poly1305.
  • Alert on processes or files named 'monitor.py', '_lat.py', '_cu.py', '_cr.py', '_csc.py', 'utils.py' appearing under '/var/lib/.spm/' — these are the on-disk names of the PCPJack Python worm modules.
  • Detect Sliver beacon binaries dropped as 'update.bin', 'update-386.bin', or 'update-arm.bin' (also staged at '/var/tmp/apt-daily-upgrade') on compromised hosts as second-stage payloads.
  • Monitor for outbound connections to 'cdn[.]cloudfront-js[.]com' on port 8443 — this is the C2 staging URL used by the second PCPJack toolset (check.sh / Sliver beacons).
  • Flag any process that reads '/proc/*/environ' in bulk — the check.sh toolset uses this to harvest credentials from running process environments.
  • A Metasploit auxiliary module (scanner/http/nextjs_middleware_auth_bypass) is publicly available for CVE-2025-29927; monitor WAF/IDS logs for its characteristic probe patterns against Next.js middleware routes.
  • ·The CVE-2025-29927 auth bypass only affects self-hosted Next.js deployments where authorization logic is implemented in middleware; Vercel-hosted applications are not affected according to the advisory.
  • ·The vulnerable version range is broad (1.11.4 through 15.2.2); fixed versions are 12.3.5, 13.5.9, 14.2.25, and 15.2.3 — ensure the correct branch is patched for the deployed major version.
  • ·PCPJack's crypto_util.py silently falls back to sending credentials in plaintext if the 'cryptography' Python library is not installed, meaning exfiltrated data may not always be encrypted.
  • ·The AWS IMDS lateral movement step in lateral.py only succeeds in environments where IMDSv2 is NOT strictly enforced; enforcing IMDSv2 blocks this credential harvesting path.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
ghsa9.1CRITICAL
osv9.1CRITICAL
vulncheck9.1CRITICAL
vendor_redhat9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.