Critical Security Update: Next.js 15.2.3 Fixes CVE-2025-29927

Critical Security Update (CVE-2025-29927)

Next.js has rolled out version 15.2.3 to address a critical security issue (CVE-2025-29927). This update, along with backported patches for previous versions, is essential for all self-hosted deployments using Middleware with next start and output: ‘standalone’. If your application relies on Middleware for authentication or other security checks, you should update immediately.

You might be interested in: A New Wave in Ad Fraud and Botnet Attacks

Timeline of the Incident

• 2025-02-27T06:03Z – The vulnerability was first reported privately to the Next.js team via GitHub.
• 2025-03-14T17:13Z – The team began triaging the issue.
• 2025-03-14T19:08Z – A patch was pushed for Next.js 15.x.
• 2025-03-14T19:26Z – A corresponding patch was deployed for Next.js 14.x.
• 2025-03-17T22:44Z – Next.js version 14.2.25 was released.
• 2025-03-18T00:23Z – Version 15.2.3 was officially released.
• 2025-03-18T18:03Z – GitHub issued the CVE: CVE-2025-29927.
• 2025-03-21T10:17Z – A detailed security advisory was published.
• 2025-03-22T21:21Z – Next.js 13.5.9 became available.
• 2025-03-23T06:44Z – Next.js 12.3.5 was released.

What Went Wrong

Next.js uses an internal header called x-middleware-subrequest to prevent recursive requests from causing infinite loops. Recent findings revealed that it was possible to bypass Middleware execution. This vulnerability could allow requests to skip critical verifications—such as checking authorization cookies—before reaching the intended routes.

Who Is Impacted

Affected

• Self-hosted Applications: Those running Next.js with Middleware (using next start and output: ‘standalone’) are vulnerable if they rely on Middleware for key security checks.
• Cloudflare Users: If you use Cloudflare, you can mitigate risk by enabling a Managed WAF rule.

Not Affected

• Hosted Platforms: Applications hosted on Vercel or Netlify are not impacted.
• Static Exports: Deployments that generate static exports (where Middleware is not executed) are also safe.

Patched Versions

To address the vulnerability, update your Next.js deployment to one of the following versions based on your current version:

• Next.js 15.x: Upgrade to 15.2.3
• Next.js 14.x: Upgrade to 14.2.25
• Next.js 13.x: Upgrade to 13.5.9
• Next.js 12.x: Upgrade to 12.3.5

If you cannot upgrade immediately, it is recommended to block any external requests that contain the x-middleware-subrequest header from reaching your application.

Our Ongoing Commitment to Security

Since 2016, Next.js has released 16 security advisories, continually refining how vulnerabilities are identified, fixed, and communicated. While the issuance of CVE-2025-29927 adhered to industry standards, we recognize that communication with our partners could have been smoother. To address this, we are launching a dedicated partner mailing list. If you’re a partner or infrastructure provider interested in receiving timely updates, please contact [email protected].

Final Thoughts

Security is paramount, and keeping your Next.js deployment up to date is a critical step in protecting your application. For those using Middleware in a self-hosted environment, updating to the patched versions is highly recommended. Stay informed about future updates and consider joining our partner mailing list for the latest security news.

Stay secure and thank you for trusting Next.js.