Is my Next.js app vulnerable to CVE-2025-29927?

Short answer

If your Next.js version is below 15.2.3 / 14.2.25 / 13.5.9 / 12.3.5, yes. Vercel-hosted apps are patched automatically; self-hosted deployments need to upgrade. Run /tools to confirm against your deployed URL.

CVE-2025-29927 is a 9.1 CVSS authentication-bypass via a single HTTP header (x-middleware-subrequest). One year after disclosure, roughly 40% of public Next.js apps are still vulnerable.

Quick check: ``` cat package.json | grep '"next"' ``` Anything below the patched versions above is vulnerable.

Exploit proof (run against your URL): ``` curl -H 'x-middleware-subrequest: src/middleware' https://yourapp.com/admin ``` If the response differs from a normal request (e.g., you see admin content that should be gated), you are vulnerable.

Fix: upgrade Next.js. No code changes required.

Workaround if upgrade is blocked: strip the `x-middleware-subrequest` header at your edge (Vercel rewrite rule / Cloudflare Worker / nginx config) until you can upgrade.

People also ask

How do I secure a Next.js app?
Upgrade Next.js past 15.2.3 / 14.2.25 (fixes CVE-2025-29927), enable HTTPS-only + security headers via next.config.mjs,