🔒 Security Update: Upgrade Next.js to Patch CVE-2025-29927 #238
Description
Description:
A critical security vulnerability (CVE-2025-29927) was recently disclosed in Next.js, affecting self-hosted applications that rely on Middleware for security checks.
Reference: https://nextjs.org/blog/cve-2025-29927
📌 What's the issue?
Next.js versions prior to the following are vulnerable:
- 15.x → ✅ fixed in
15.2.3 - 14.x → ✅ fixed in
14.2.25 - 13.x → ✅ fixed in
13.5.9 - 12.x → ✅ fixed in
12.3.5
The vulnerability allows certain requests to bypass Middleware, potentially skipping critical checks like auth validation. This can happen if an attacker manipulates the x-middleware-subrequest header.
✅ What needs to be done
- Upgrade Next.js to a patched version
- If the current version is
13.x, upgrade to^13.5.9 - If another version, check the corresponding patched release
- If the current version is
- Test the application locally (
npm run dev) - Verify Middleware-based auth/security flows still work
- Commit the changes and open a PR with a clear title, such as:
chore(security): upgrade Next.js to fix CVE-2025-29927
💬 Additional context
Applications hosted on Vercel or Netlify are not affected. However, self-hosted apps using next start with output: 'standalone' are impacted.
If upgrading is temporarily not feasible, consider blocking external requests with the x-middleware-subrequest header at the proxy or gateway level.