Next.js is a React framework for building full-stack web applications. Prior to 12.3.5, 13.5.9, 14.2.25, and 15.2.3, self-hosted Next.js applications with a server backend are vulnerable to a critical authorization bypass [CVE-2025-29927]. Static sites using Next.js and those hosted by Vercel and other popular web application hosting providers (specifically Netlify and Cloudflare) are not vulnerable.
See the resource center.
News
- March 17, 2025: Patches for affected versions were released.
- March 18, 2025: CVE-2025-29927 was issued by GitHub.
- March 21, 2025: CVE-2025-29927 was made public.
Bitsight Status
Initial detections of the vulnerability will be available in Vulnerability Detection on April 3rd. An additional scan expected to return further detections is under way and updated results will be provided when available.
Feedback
0 comments
Please sign in to leave a comment.