London calling: Join us at Gartner Security & Risk Summit, Sept 22–24, Booth #117 London: Gartner Security & Risk Summit
Research

Emerging Threat: Next.js CVE-2025-29927

Emma-Zaballos
By Emma Zaballos
Product Marketing Manager
March 27, 2025

CVE-2025-29927 is a critical authorization vulnerability (CVSS 9.1) in self-hosted Next.js applications using middleware, allowing attackers to bypass security checks with a crafted x-middleware-subrequest header. It affects versions 11.1.5 to 15.2.2, with patches available in newer releases. While there are no active exploits reported as of March 27, 2025, CyCognito has issued guidance to help organizations assess and mitigate exposure.



Topics



Search the Blog



Featured Posts








Top Tags



Stay informed

Subscribe to the Blog

Subscribe now to get the latest insights delivered straight to your inbox.

CyCognito Research Report

State of External Exposure Management, Summer 2024 Edition

State of External Exposure Management, Summer 2024 Edition

Download the report now to stay ahead of emerging threats and strengthen your organization’s security posture for 2024.

Request a Free Scan

See Exactly What Attackers See

Get a Free Scan of Your Attack Surface

Get a free scan of your attack surface and gain valuable insight into your organization's risk posture by allowing CyCognito to discover, contextualize, and test externally exposed assets on a portion of your parent company or a single subsidiary.