Cyber Security Alert: CVE affecting Next.js

Posted March 28, 2025

The NCSC would like to draw your attention to CVE-2025-29927 affecting Next.js.

CVE-2025-29927 is an Authentication Bypass vulnerability affecting Next.js that could allow a remote attacker to bypass security checks.

This vulnerability affects the following Next.js versions:

Next.js 15.x versions prior to 15.2.3
Next.js 14.x versions prior to 14.2.25
Next.js 13.x versions prior to 13.5.9
Next.js 12.x versions prior to 12.3.5

The NCSC encourages organisations in New Zealand that use the affected product to review the vendor advisory (external link)and apply the remediation as soon as possible.

Received an alert or advisory from both CERT NZ and NCSC? At present, we use both brands and a range of distribution mechanisms to ensure everyone continues to receive the information they need. Behind the scenes, our teams continue to work together to share insights and align our guidance.

For more NCSC NZ updates, follow(external link) us on LinkedIn.

Latest headlines

NCSC releases Cyber Security Insights Report for Q4 2024

Cyber Threat Report 2023/24 released

Joint Guidance: Security for edge devices

Joint Guidance: Secure by Demand for OT Owners and Operators