Developers and web admins using the Next.js framework for building or managing interactive web applications should install a security update to plug a critical vulnerability.
The vulnerability, CVE-2025-29927, allows an authorization bypass if the “middleware” function is enabled for linking to a service. This vulnerability is critical if the middleware that Next.js is connecting to performs security functions such as authorization, access control, or checking if session cookies are valid.
“This vulnerability would allow you to by-pass that check,” noted Johannes Ullrich, dean of research at the SANS Institute.