Protection against Next.js CVE-2025-29927

Aaron BrownHead of Security

1 min read

Mar 22, 2025

A security vulnerability in Next.js was responsibly disclosed, which allows malicious actors to bypass authorization in Middleware when targeting the x-middleware-subrequest header.

Vercel customers are not affected. We still recommend updating to the patched versions. Learn more about CVE-2025-29927.

Ready to deploy? Start building with a free account. Speak to an expert for your Pro or Enterprise needs.

Start Deploying

Talk to an Expert

Explore Vercel Enterprise with an interactive product tour, trial, or a personalized demo.

Explore Enterprise

DX Platform

Managed Infrastructure

Open Source

Use Cases

Users

Tools

Company

Protection against Next.js CVE-2025-29927