Next.js Authorization Bypass Vulnerability [CVE-2025-29927] Jessica Next.js is a React framework for building full-stack web applications. Prior to 12.3.5, 13.5.9, 14.2.25, and 15.2.3, self-hosted Next.js applications with a server backend are vulnerable to a critical authorization bypass [CVE-2025-29927]. Static sites using Next.js and those hosted by Vercel and other popular web application hosting providers (specifically Netlify and Cloudflare) are not vulnerable. What To Do Upgrade Next.js to version 12.3.5, 13.5.9, 14.2.25, 15.2.3 or higher. If patching to a safe version is infeasible or if you’re running a Next.js version 11.x where no patch exists, we recommend preventing external user requests containing the ‘x-middleware-subrequest’ header from reaching your Next.js application. Resources Vercel - Authorization Bypass Vulnerability in Next.js Middleware NVD - CVE-2025-29927 Next.js - Postmortem on Next.js Middleware bypass April 3, 2025: Published. Related articles Next.js Authorization Bypass Vulnerability [CVE-2025-29927] – April 3, 2025 Ratings Algorithm Update – July 10, 2025 Verifying That a Finding Is Remediated Vulnerability Prioritization: DVE & EPSS TLS/SSL Finding Remediation & Remediation Verification Feedback 0 comments Please sign in to leave a comment.