Next.js Open Source Framework Affected By Critical Security Vulnerability

Photo by James Wiseman on Unsplash

Next.js Open Source Framework Affected By Critical Security Vulnerability

Reading time: 3 min

Researchers recently revealed a security vulnerability in Next.js, a widely used open-source React framework, allowing malicious actors to bypass authorization in middleware and get access to systems. The flaw, labeled CVE-2025-29927, has been mitigated by Vercel.

In a rush? Here are the quick facts:

  • Cybersecurity researchers Allam Yasser and Allam Rachid unveiled a vulnerability in the popular framework Next.js
  • The flaw, identified as CVE-2025-29927, allowed malicious actors to bypass authorization in middleware.
  • Vercel took action and shared patches for all affected versions and updates a few days later.

According to Cyberscoop, Allam Yasser and Allam Rachid, cybersecurity researchers, spotted the vulnerability on February 27 and reported it to Vercel, the cloud company that created and maintains Next.js.

Vercel acknowledged the vulnerability and released patches for all affected versions about two weeks later. Last Friday, the company also issued a security advisory.

“We recommend that all self-hosted Next.js deployments using next start and output: ‘standalone’ should update immediately,” states Next.js’ advisory.

The document explains that the affected applications are the ones self-hosted and currently using Middleware. Applications hosted on Vercel, Netlify, or “deployed as static exports” are not affected by the vulnerability CVE-2025-29927. The ones using Cloudflare are advised to turn on a Managed WAF rule.

“We are not aware of any active exploits,” said Ty Sbano, Chief Information Security Officer (CISO) at Vercel, to Cyberscoop. “If someone hosts a Next.js application outside of Vercel, we would not have visibility into runtime or their analytics. Platforms like Vercel and Netlify were not affected.”

The cloud company doesn’t have accurate data on how many applications using Next.js are active on self-hosted platforms.

Rachid shared a paper on this blog, Next.js and the corrupt middleware: the authorizing artifact, with more details on their research to unveil the flaw affecting millions of users.

“A critical vulnerability can occur in any software, but when it affects one of the most popular frameworks, it becomes particularly dangerous and can have severe consequences for the broader ecosystem,” wrote Rachid.

The expert also addressed the company’s response time in mitigating the risk. “The vulnerability took a few days to be addressed by the Vercel team, but it should be noted that once they became aware of it, a fix was committed, merged, and implemented in a new release within a few hours (including backports).”

A few days ago, Cybersecurity experts at Pillar Security recently uncovered a vulnerability in two popular coding assistants, GitHub Copilot and Cursor.

Did you like this article? Rate it!
I hated it I don't really like it It was ok Pretty good! Loved it!

We're thrilled you enjoyed our work!

As a valued reader, would you mind giving us a shoutout on Trustpilot? It's quick and means the world to us. Thank you for being amazing!

Rate us on Trustpilot
0 Voted by 0 users
Title
Comment
Thanks for your feedback
Loader
Please wait 5 minutes before posting another comment.
Comment sent for approval.

Leave a Comment

Loader
Loader Show more...