Authentication Bypass Vulnerability in Next.js CVE-2025-29927: What You Should Know

Discover the key information you need to know about CVE-2025-29927, an authentication bypass vulnerability in the middleware layer in Vercel’s Next.js.

by Michael Teske

Matthew Lloyd Davies - Pluralsight course - Authentication Bypass Vulnerability in Next.js CVE-2025-29927: What You Should Know

by Matthew Lloyd Davies

Get started

What you'll learn

CVE-2025-29927 is an authentication bypass vulnerability in the middleware layer in Vercel’s Next.js. Exploitation is trivial and can be achieved by adding an x-middleware-subrequest header with a specially crafted value in the request. The Next.js middleware will incorrectly process the header and bypass the authentication check. This course will give you a clear understanding of this vulnerability, its potential impact, and the urgency of applying the newly released patches. We will walk through the security implications for affected systems, explore risk mitigation strategies, and provide actionable steps to safeguard your organization against exploitation.

About the authors

Michael Teske

Michael Teske is an Author Evangelist with Pluralsight helping people elevate their skills. He has 20+ years of experience in IT Ops, including 17 as an IT instructor at a community college.

More Courses by Michael

Matthew Lloyd Davies

Matt has a degree in Chemical engineering and a PhD in mathematical chemistry. He is also a GIAC certified incident handler and penetration tester and has regulated cyber security in the UK civil nuclear sector for many years.

More Courses by Matthew

Authentication Bypass Vulnerability in Next.js CVE-2025-29927: What You Should Know

What you'll learn

Table of contents

Authentication Bypass Vulnerability in Next.js CVE-2025-29927: What You Should Know 11m 7s

Resources 42s

About the authors