The National Cyber Security Centre (NCSC) is encouraging UK organisations to take immediate action to mitigate a vulnerability (CVE-2025-29927) affecting the Next.js framework used to build web applications.

What has happened?

Next.js has published a security advisory detailing an authorisation bypass vulnerability present in Next.js, a popular and open-source React-based web development framework that is used to build full-stack web applications in use in the UK and around the world. 

An attacker may be able to exploit this vulnerability by sending an external request to the system that the system treats as an internal request, bypassing authorisation checks and giving unauthorised access to sensitive data.

Proof-of-concept exploits for this vulnerability are widely and freely available.

Who is affected?

Organisations hosting web applications that use the following versions of Next.js are vulnerable: 

• All versions of 13.x before 13.5.9 
• All versions of 14.x before 14.2.25 
• All versions of 15.x before 15.2.3 
• Versions from 11.1.4 up to (but not including) 12.3.5 

What should organisations do?

The NCSC recommends following vendor best practice advice to mitigate vulnerabilities. In this case, if you use an affected product, you should take these priority actions: 

1. Update to one of the latest fixed versions listed on the vendor’s website at the earliest opportunity.
2. If updating to a fixed version is not feasible, the vendor has recommended that external user requests containing the “x-middleware-subrequest” header be blocked from reaching your Next.js application. This should be a temporary measure until updating to the latest version is possible.
3. Monitor logs for potential attacks, for example x-middleware-request  headers in external requests.
4. If you suspect a compromise, find out where to report by visiting gov.uk/report-cyber. 

Exploitation

The vendor advisory highlights that this vulnerability is exploitable in self-hosted Next.js applications if authorisation checks occur in Next.js middleware. Applications hosted on Vercel, Netlify, or deployed as static exports are not affected.

For more NCSC news, click here.