Protection against Next.js CVE-2025-29927 with VMware AVI load balancer WAF
Article ID: 393406
Updated On:
Products
VMware Avi Load Balancer
Issue/Introduction
- Next.js versions prior to 12.3.5, 13.5.9, 14.2.25 and 15.2.3 are vulnerable to bypass authorization checks within a Next.js application, according to a recently published CVE-2025-29927.
Environment
- VMware AVI load balancer
- Next.js version prior to 12.3.5, 13.5.9, 14.2.25 or 15.2.3.
Cause
- Next.js versions prior to 12.3.5, 13.5.9, 14.2.25 and 15.2.3 are vulnerable to bypass authorization checks within a Next.js application, according to a recently published CVE-2025-29927.
Resolution
- It is strongly recommended to upgrade Next.js to a patched version – 12.3.5, 13.5.9, 14.2.25 or 15.2.3.
- For applications based on Next.js which cannot be patched immediately, creating a custom rule in AVI WAF can help mitigate this vulnerability. The custom rule will block any request with the header 'x-middleware-subrequest' which is used as part of this attack.
- Note that this rule is not exploitation-specific rule, but rather a more general approach which would block legitimate sites using auth middleware.
- Create a custom rule to mitigate CVE-2025-29927
-
-
- Navigate to Templates > WAF > WAF Policy in the Avi Load Balancer UI.
- Click Create or Edit an existing WAF Policy.
- Enter the required details under the Configuring WAF Policy.
- Click the Signatures tab.
- Under Pre-CRS rules, click Create Group.
- Enter the Group Name. Every rule is configured within a group.
- Click the Create Rule button. Rules are enabled by default.
- Enter a Name for the rule.
- Select one of the following options:
-
Use Policy Mode Enforcement For more information on selecting modes, see WAF Mode.
-
Enter the Rule in the text box.
-
SecRule REQUEST_HEADERS_NAMES "@rx x-middleware-subrequest" "id:4099863,phase:2,block,t:none,t:lowercase,msg:'CVE-2025-29927'"
-
-
- Click SAVE.
- Click SAVE again.
-
Feedback
Yes
No
Powered by
