CVE-2025-29927 affecting Next.js

This section contains time sensitive announcements about specific cyber threats, vulnerabilities and scams. Each alert has information you need to be aware of, and what actions to take to mitigate any risk to you or your organisation.

Subscribe to our updates to be notified as soon as we publish an alert.

3:30pm, 27 March 2025

TLP Rating: Clear

CVE-2025-29927 affecting Next.js

CVE-2025-29927 could allow a remote attacker to skip critical security checks, including bypassing running middleware and cookie validation.

Next.j has published advice for those using the affected versions.

What's happening

Systems affected

Next.js 15.x versions prior to 15.2.3
Next.js 14.x versions prior to 14.2.25
Next.js 13.x versions prior to 13.5.9
Next.js 12.x versions prior to 12.3.5

What this means

Organisations who utilise affected Next.js versions could be vulnerable to the CVE.

What to look for

How to tell if you're at risk

If you are using a Next.js instance within the listed versions.

What to do

Prevention

Update to one of the vendor advised Next.js versions.

More information

Vendor Advisory
CVE-2025-29927 | Next.js External Link

If you require more information or further support, submit a report on our website or contact us on 0800 114 115.

Report an incident

For media enquiries, email our media desk at media@ncsc.govt.nz.

CVE-2025-29927 affecting Next.js

What's happening

Systems affected

What this means

What to look for

How to tell if you're at risk

What to do

Prevention

More information

How helpful was this page?