27 June 2026
Reference: CVE-2025-29927
1. What is being reported?
The report highlights a vulnerability in Next.js versions from 1.11.4 up to specific versions before 12.3.5, 13.5.9, 14.2.25, and 15.2.3. This flaw allows attackers to bypass authorisation checks if those checks are done in middleware, a part of the application that processes requests. Essentially, someone could trick the system into granting access without proper permission.
2. What this means in plain English
For small organisations, this means that if your website or application uses an affected version of Next.js and relies on middleware for security checks, attackers might gain unauthorised access to sensitive areas or data. This could lead to data breaches or misuse of your online services.
3. Could this affect a small business?
If your organisation’s website or web application is built using Next.js within the affected versions and uses middleware for authorisation, you could be at risk. If you don’t use Next.js or your software supplier manages updates, you are less likely to be affected. It’s best to check with your IT provider.
4. What to do now
- Ask your IT provider if your website or applications use Next.js and check the version in use.
- If using an affected version, update Next.js to one of the safe versions: 12.3.5, 13.5.9, 14.2.25, or 15.2.3.
- If updating is not possible immediately, ensure that requests containing the 'x-middleware-subrequest' header from external users are blocked before reaching your application.
- Monitor your web applications for unusual access patterns and report any suspicious activity to your IT provider.
5. Ask your IT provider
Can you confirm if our website or web applications use Next.js, and if so, are they updated to a version that fixes the CVE-2025-29927 vulnerability?
6. Bottom line
Make sure your Next.js software is up to date or protected to prevent unauthorised access through this critical security flaw.
Information based on CISA KEV, NVD, and reputable security reporting.