# [HIGH] CVE-2025-29927 Authorization Bypass in Next.js Middleware **Source:** Snyk **Published:** 2025-03-23 **Article:** https://snyk.io/blog/cve-2025-29927-authorization-bypass-in-next-js-middleware/ ## Threat Profile Snyk Blog In this article Written by Liran Tal March 23, 2025 0 mins read CVE-2025-29927 Authorization Bypass in Next.js Middleware On Friday morning, March 21, 2025, at 9:00 a.m. UTC, a security advisory identified as CVE-2025-29927 was published. It cited a critical 9.1 severity vulnerability for mainstream Next.js applications. Next.js versions considered vulnerable: Next.js 15.x versions before15.2.3 Next.js 14.x versions before 14.2.25 Next.js 13.x versions before 13.5.9 All Next.js versi… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2025-29927` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1195.002** — Compromise Software Supply Chain - **T1204.002** — User Execution: Malicious File - **T1078** — Valid Accounts - **T1556** — Modify Authentication Process ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Next.js CVE-2025-29927 middleware bypass via x-middleware-subrequest header `UC_948_3` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Web.url) as urls values(Web.http_method) as methods values(Web.status) as statuses dc(Web.url) as url_count from datamodel=Web where Web.http_user_agent=* (Web.http_request_headers="*x-middleware-subrequest*" OR Web.http_request_headers="*middleware:middleware:middleware:middleware:middleware*" OR Web.http_request_headers="*x-middleware-subrequest: middleware*") by Web.src Web.dest Web.http_user_agent Web.url_domain | `drop_dm_object_name(Web)` | where url_count >= 1 ``` **Defender KQL:** ```kql // Defender Advanced Hunting does not natively capture inbound HTTP request headers for self-hosted web servers. // This detection is implemented on Sentinel/SIEM web-tier telemetry instead — see sentinel_kql. // For Defender, the closest pivot is host-side: a Next.js node process receiving traffic that is followed by // post-auth-only commands (DB dumps, secret reads) from an unauthenticated session — too noisy to express here. ``` ### Trusted vendor binary / installer launching unusual children `UC_SUPPLY_CHAIN` · phase: **exploit** · confidence: **Medium** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("setup.exe","installer.exe","update.exe") AND Processes.process_name IN ("powershell.exe","cmd.exe","rundll32.exe","regsvr32.exe","mshta.exe","wscript.exe","cscript.exe","wmic.exe","bitsadmin.exe") by Processes.dest, Processes.user, Processes.parent_process_name, Processes.process_name, Processes.process | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where InitiatingProcessFileName in~ ("setup.exe","installer.exe","update.exe") | where FileName in~ ("powershell.exe","cmd.exe","rundll32.exe","regsvr32.exe","mshta.exe","wscript.exe","cscript.exe","wmic.exe","bitsadmin.exe") | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine ``` ### Article-specific behavioural hunt — CVE-2025-29927 Authorization Bypass in Next.js Middleware `UC_948_2` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — CVE-2025-29927 Authorization Bypass in Next.js Middleware ``` | tstats `summariesonly` count earliest(_time) AS firstTime latest(_time) AS lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("next.js","node.js")) by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name, Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | append [ | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_name IN ("next.js","node.js")) by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ] ``` **Defender KQL:** ```kql // Article-specific bespoke detection — CVE-2025-29927 Authorization Bypass in Next.js Middleware // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. DeviceProcessEvents | where Timestamp > ago(30d) | where (FileName in~ ("next.js", "node.js")) | project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FileName in~ ("next.js", "node.js")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2025-29927` ## Why this matters Severity classified as **HIGH** based on: CVE present, 4 use case(s) fired, 5 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.