3:30pm, 27 March 2025
TLP Rating:
CVE-2025-29927 affecting Next.js
CVE-2025-29927 could allow a remote attacker to skip critical security checks, including bypassing running middleware and cookie validation.
Next.j has published advice for those using the affected versions.
What's happening
Systems affected
Next.js 15.x versions prior to 15.2.3
Next.js 14.x versions prior to 14.2.25
Next.js 13.x versions prior to 13.5.9
Next.js 12.x versions prior to 12.3.5
What this means
Organisations who utilise affected Next.js versions could be vulnerable to the CVE.
What to look for
How to tell if you're at risk
If you are using a Next.js instance within the listed versions.
What to do
Prevention
Update to one of the vendor advised Next.js versions.
More information
Vendor Advisory
CVE-2025-29927 | Next.js External Link
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
For media enquiries, email our media desk at media@ncsc.govt.nz or call the media team on 021 854.
How helpful was this page?
This site is protected by reCAPTCHA and the Google Privacy Policy External Link and Terms of Service External Link apply.