Next.js Security Vulnerability (CVE-2025-29927): What Upsun Users Need to Know
A critical security vulnerability, CVE-2025-29927, was recently discovered in Next.js applications that use middleware in self-hosted environments. This vulnerability could allow attackers to bypass important security checks, potentially compromising your application’s security. As a cloud application platform prioritizing security, Upsun is committed to helping you understand and address this issue promptly.
What is the Vulnerability?
Next.js uses an internal HTTP header, x-middleware-subrequest, to prevent middleware from triggering infinite loops through recursive requests. The security vulnerability, identified in February 2025 and publicly released on March 22, 2025 (Saturday), demonstrated that it’s possible for attackers to:
- Skip middleware execution entirely by manipulating request headers
- Bypass critical security checks like authentication validation
- Access routes that should be protected
This vulnerability is particularly concerning if your application relies on middleware for authorization, authentication, or other security-critical operations.
Am I Affected?
Your Next.js application deployed on Upsun may be vulnerable if:
- You’re using middleware for security-critical functions (authentication, authorization, etc.)
- You’re deploying with
next startandoutput: 'standalone'configuration - You’re running any of these Next.js versions:
- Next.js
15.xequal or prior to15.2.2 - Next.js
14.xequal or prior to14.2.23 - Next.js
13.xequal or prior to13.5.8 - Next.js
12.xequal or prior to12.3.4
- Next.js
Your application is not affected if:
- You’re deploying your Next.js application as a static export
- You don’t use middleware for security-critical functions
- You’ve already updated to a patched version
How to Address the Vulnerability
Update Your Next.js Version
The only straightforward solution is updating your Next.js version to a patched release:
- For Next.js
15.x: Update to version15.2.3or later - For Next.js
14.x: Update to version14.2.25or later - For Next.js
13.x: Update to version13.5.9or later - For Next.js
12.x: Update to version12.3.5or later
Here’s how to update your Next.js dependency:
npm install next@latest
# or
yarn upgrade next --latest
# or
pnpm update next --latestAfter updating, rebuild and redeploy your application on Upsun:
git add package.json package-lock.json
git commit -m "Update Next.js to patched version for CVE-2025-29927"
upsun deployWAF Protection Options
For additional security, consider implementing Web Application Firewall (WAF) protection:
Platform.sh and Upsun Enterprise Customers: If you have the Fastly WAF option enabled, you can open a support ticket requesting a rule to block the vulnerable header. Our security team will implement custom rules to protect your application while ensuring authentication flows remain functional.
Cloudflare Users: Cloudflare has released a managed WAF rule to protect against this vulnerability
Verifying Your Fix
After implementing any of the above solutions, you can verify the fix by attempting to access a protected route with a manually crafted request containing the x-middleware-subrequest header. The request should be rejected or should trigger your middleware as expected.
Timeline of the Vulnerability
- February 27, 2025: Initial disclosure to the Next.js team
- March 14, 2025: Vulnerability triage and patches pushed
- March 17-23, 2025: Patched versions released across Next.js versions
- March 18, 2025: CVE-2025-29927 issued by GitHub
- March 21, 2025: Security Advisory published
If you’re concerned about this vulnerability or need assistance securing your Next.js application on Upsun, please contact our support team).