CVE-2025-29927 affecting Next.js

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

3:30pm, 27 March 2025

TLP Rating: Clear

CVE-2025-29927 affecting Next.js

CVE-2025-29927 could allow a remote attacker to skip critical security checks, including bypassing running middleware and cookie validation.

Next.j has published advice for those using the affected versions.

What's happening

Systems affected

Next.js 15.x versions prior to 15.2.3
Next.js 14.x versions prior to 14.2.25
Next.js 13.x versions prior to 13.5.9
Next.js 12.x versions prior to 12.3.5

What this means

Organisations who utilise affected Next.js versions could be vulnerable to the CVE.

What to look for

How to tell if you're at risk

If you are using a Next.js instance within the listed versions.

What to do

Prevention

Update to one of the vendor advised Next.js versions.

More information

Vendor Advisory
CVE-2025-29927 | Next.js External Link


If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ

For media enquiries, email our media desk at media@ncsc.govt.nz or call the media team on 021 854.