Free practical cybersecurity guidance for organisations without a security team.
hello@actionsoncyber.com
← Back to Vulnerability Briefs

Critical Security Flaw in Next.js Web Applications Could Let Hackers Bypass Access Controls

A serious security weakness has been found in certain versions of Next.js, a popular tool used to build websites and web applications. This flaw could allow unauthorised users to bypass security checks and access parts of a website they shouldn’t. It is important for organisations using Next.js to update their software or take protective steps to avoid potential cyberattacks.

27 June 2026

Reference: CVE-2025-29927

1. What is being reported?

The report highlights a vulnerability in Next.js versions from 1.11.4 up to specific versions before 12.3.5, 13.5.9, 14.2.25, and 15.2.3. This flaw allows attackers to bypass authorisation checks if those checks are done in middleware, a part of the application that processes requests. Essentially, someone could trick the system into granting access without proper permission.

2. What this means in plain English

For small organisations, this means that if your website or application uses an affected version of Next.js and relies on middleware for security checks, attackers might gain unauthorised access to sensitive areas or data. This could lead to data breaches or misuse of your online services.

3. Could this affect a small business?

If your organisation’s website or web application is built using Next.js within the affected versions and uses middleware for authorisation, you could be at risk. If you don’t use Next.js or your software supplier manages updates, you are less likely to be affected. It’s best to check with your IT provider.

4. What to do now

  • Ask your IT provider if your website or applications use Next.js and check the version in use.
  • If using an affected version, update Next.js to one of the safe versions: 12.3.5, 13.5.9, 14.2.25, or 15.2.3.
  • If updating is not possible immediately, ensure that requests containing the 'x-middleware-subrequest' header from external users are blocked before reaching your application.
  • Monitor your web applications for unusual access patterns and report any suspicious activity to your IT provider.

5. Ask your IT provider

Can you confirm if our website or web applications use Next.js, and if so, are they updated to a version that fixes the CVE-2025-29927 vulnerability?

6. Bottom line

Make sure your Next.js software is up to date or protected to prevent unauthorised access through this critical security flaw.

Information based on CISA KEV, NVD, and reputable security reporting.

Back to Vulnerability Briefs