Next.js Open Source Framework Affected By Critical Security Vulnerability

Researchers recently revealed a security vulnerability in Next.js, a widely used open-source React framework, allowing malicious actors to bypass authorization in middleware and get access to systems. The flaw, labeled CVE-2025-29927, has been mitigated by Vercel.

According to Cyberscoop, Allam Yasser and Allam Rachid, cybersecurity researchers, spotted the vulnerability on February 27 and reported it to Vercel, the cloud company that created and maintains Next.js.

Vercel acknowledged the vulnerability and released patches for all affected versions about two weeks later. Last Friday, the company also issued a security advisory.

“We recommend that all self-hosted Next.js deployments using next start and output: ‘standalone’ should update immediately,” states Next.js’ advisory.

The document explains that the affected applications are the ones self-hosted and currently using Middleware. Applications hosted on Vercel, Netlify, or “deployed as static exports” are not affected by the vulnerability CVE-2025-29927. The ones using Cloudflare are advised to turn on a Managed WAF rule.

“We are not aware of any active exploits,” said Ty Sbano, Chief Information Security Officer (CISO) at Vercel, to Cyberscoop. “If someone hosts a Next.js application outside of Vercel, we would not have visibility into runtime or their analytics. Platforms like Vercel and Netlify were not affected.”

The cloud company doesn’t have accurate data on how many applications using Next.js are active on self-hosted platforms.

Rachid shared a paper on this blog, Next.js and the corrupt middleware: the authorizing artifact, with more details on their research to unveil the flaw affecting millions of users.

“A critical vulnerability can occur in any software, but when it affects one of the most popular frameworks, it becomes particularly dangerous and can have severe consequences for the broader ecosystem,” wrote Rachid.

The expert also addressed the company’s response time in mitigating the risk. “The vulnerability took a few days to be addressed by the Vercel team, but it should be noted that once they became aware of it, a fix was committed, merged, and implemented in a new release within a few hours (including backports).”

A few days ago, Cybersecurity experts at Pillar Security recently uncovered a vulnerability in two popular coding assistants, GitHub Copilot and Cursor.