Next.js is a React framework for building full-stack web applications. Prior to 12.3.5, 13.5.9, 14.2.25, and 15.2.3, self-hosted Next.js applications with a server backend are vulnerable to a critical authorization bypass [CVE-2025-29927]. Static sites using Next.js and those hosted by Vercel and other popular web application hosting providers (specifically Netlify and Cloudflare) are not vulnerable.
What To Do
Upgrade Next.js to version 12.3.5, 13.5.9, 14.2.25, 15.2.3 or higher.
If patching to a safe version is infeasible or if you’re running a Next.js version 11.x where no patch exists, we recommend preventing external user requests containing the ‘x-middleware-subrequest’ header from reaching your Next.js application.
Feedback
0 comments
Please sign in to leave a comment.