§ feed · storyline
Protection against Next.js CVE-2025-29927
Vercel confirms its customers are unaffected by Next.js CVE-2025-29927, a middleware auth-bypass vulnerability, while urging all users to update to patched versions.
A security vulnerability in Next.js was , which allows malicious actors to bypass authorization in Middleware when targeting the header.responsibly disclosedx-middleware-subrequest .
We still recommend updating to the patched versions. Learn more about .Vercel customers are not affectedCVE-2025-29927 Read more
§ sources1 publication · timeline below