CVE-2025-30218

Next.js is a React framework for building full-stack web applications. To mitigate CVE-2025-29927, Next.js validated the x-middleware-subrequest-id which persisted across multiple incoming requests. However, this subrequest ID is sent to all requests, even if the destination is not the same host as the Next.js application. Initiating a fetch request to a third-party within Middleware will send the x-middleware-subrequest-id to that third party. This vulnerability is fixed in 12.3.6, 13.5.10, 14.2.26, and 15.2.4.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/vercel/next.js/security/advisories/GHSA-223j-4rm8-mrmf	Vendor Advisory
https://vercel.com/changelog/cve-2025-30218-5DREmEH765PoeAsrNNQj3O	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:vercel:next.js:12.3.5:::::node.js::
	cpe:2.3:a:vercel:next.js:13.5.9:::::node.js::
	cpe:2.3:a:vercel:next.js:14.2.25:::::node.js::
	cpe:2.3:a:vercel:next.js:15.2.3:::::node.js::

History

10 Sep 2025, 15:14

Type	Values Removed	Values Added
References	~~() https://github.com/vercel/next.js/security/advisories/GHSA-223j-4rm8-mrmf -~~	() https://github.com/vercel/next.js/security/advisories/GHSA-223j-4rm8-mrmf - Vendor Advisory
References	~~() https://vercel.com/changelog/cve-2025-30218-5DREmEH765PoeAsrNNQj3O -~~	() https://vercel.com/changelog/cve-2025-30218-5DREmEH765PoeAsrNNQj3O - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.9
CPE		cpe:2.3:a:vercel:next.js:13.5.9:::::node.js:: cpe:2.3:a:vercel:next.js:15.2.3:::::node.js:: cpe:2.3:a:vercel:next.js:12.3.5:::::node.js:: cpe:2.3:a:vercel:next.js:14.2.25:::::node.js::
First Time		Vercel Vercel next.js

07 Apr 2025, 14:18

Type	Values Removed	Values Added
Summary		(es) Next.js es un React framework para construir aplicaciones web de pila completa. Para mitigar CVE-2025-29927, Next.js validó el ID X-Middleware-subrequest que persistió en múltiples solicitudes entrantes. Sin embargo, esta ID de subrequest se envía a todas las solicitudes, incluso si el destino no es el mismo host que la aplicación Next.js. Iniciar una solicitud de recuperación a un tercero dentro de Middleware enviará el ID de subrequest de X-Middleware a ese tercero. Esta vulnerabilidad se fija en 12.3.6, 13.5.10, 14.2.26 y 15.2.4.

02 Apr 2025, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-02 22:15

Updated : 2025-09-10 15:14

NVD link : CVE-2025-30218

Mitre link : CVE-2025-30218

CVE.ORG link : CVE-2025-30218

JSON object : View

Products Affected

vercel

next.js

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

5.9 /10