Critical Vulnerability in Next.js React Framework
Next.js releases security update to address critical improper authentication vulnerability
Summary
Next.js releases security update to address critical improper authentication vulnerability
Affected platforms
The following platforms are known to be affected:
Threat details
Proof-of-Concept exploit for CVE-2025-29927
A public proof-of-concept exploit is available for CVE-2025-29927. The NHS England National CSOC assesses that exploitation of this vulnerability is considered more likely.
Introduction
Next.js have released a security update to address a critical vulnerability within the Next.js React framework.
CVE-2025-29927 is an improper authentication vulnerability, with a CVSSv3 score of 9.1. The vulnerability enables a user to skip running middleware in a Next.js application. As a result, an attacker might be able to skip authentication checks that occur in middleware.
Threat updates
| Date | Update |
|---|---|
| 7 Apr 2025 | Proof-of-Concept exploit for CVE-2025-29927 |
Remediation advice
Affected organisations are encouraged to review the Next.js security advisory and apply the relevant updates as soon as practicable.
If patching to a safe version is not possible, it is recommended to prevent external user requests with the x-middleware-subrequest header from reaching the Next.js application.
Definitive source of threat updates
Last edited: 7 April 2025 11:55 am