Next.js CVE-2025-29927

On March 21, 2025, Vercel disclosed a critical security vulnerability (CVE-2025-29927) which makes it possible to bypass authorization checks within a Next.js application if the authorization check occurs in middleware.

Note: The Okta service is not affected by this vulnerability.

Action for nextjs-auth0 SDK customers

For Auth0 customers using Next.js applications with the nextjs-auth0 SDK we recommend auditing your codebase for any logic where authentication or authorization decisions are exclusively made in middleware functions. Below are examples of this logic in v4 and v3 of the SDK.

In v4 of the SDK:

import { NextRequest, NextResponse } from "next/server"
import { auth0 } from "@/lib/auth0"
export async function middleware(request: NextRequest) {
  const authRes = await auth0.middleware(request)
 if (request.nextUrl.pathname.startsWith("/auth")) {
    return authRes
  }
  const session = await auth0.getSession(request)
  if (!session) {
    // user is not authenticated, redirect to login page
    return NextResponse.redirect(new URL("/auth/login", request.nextUrl.origin))
  }
  // the headers from the auth middleware should always be returned
  return authRes
}

In v3 of the SDK:

// middleware.js
import { withMiddlewareAuthRequired } from '@auth0/nextjs-auth0/edge';
export default withMiddlewareAuthRequired();

// middleware.js
import { withMiddlewareAuthRequired, getSession } from '@auth0/nextjs-auth0/edge';
export default withMiddlewareAuthRequired(async function middleware(req) {
  const res = NextResponse.next();
  const user = await getSession(req, res);
  …
})

If you are using any other third-party library (for example, NextAuth.js) we also recommend you review your application for similar logic. For example, only relying on a middleware to protect your application:

export { default } from "next-auth/middleware";
export const config = {
    matcher: ["/dashboard"]
};

Remediation

To remediate this vulnerability, upgrade to one of the following versions of Next.js:

Next.js 15	15.2.3
Next.js 14	14.2.25
Next.js 13	13.5.9
Next.js 12	12.3.5

If upgrading Next.js is not an option, the official recommendation is to block external requests which contain the x-middleware-subrequest header.

Not Affected

Your application is not affected under the following conditions:

• Applications hosted on Vercel

• Applications hosted on Netlify

• Applications deployed as static exports

• Applications that do not exclusively rely on the Next.js Middleware for authentication and authorization. 

  • Applications that perform additional authentication for all Server Rendered Components, Page Routes, or API Routes. This can done by invoking

    auth0.getSession()

    in v4 or by using

    getSession()

    ,

    withApiAuthRequired

    or

    withPageAuthRequired

    in v3.

Additional Resources

• https://nvd.nist.gov/vuln/detail/CVE-2025-29927 

• https://github.com/advisories/GHSA-f82v-jwr5-mffw 

• https://nextjs.org/blog/cve-2025-29927 

• https://developers.cloudflare.com/changelog/2025-03-22-next-js-vulnerability-waf/