Cyber Security Alert: CVE affecting Next.js

Posted March 28, 2025
Cyber Security Alerts

The NCSC would like to draw your attention to CVE-2025-29927 affecting Next.js.

CVE-2025-29927 is an Authentication Bypass vulnerability affecting Next.js that could allow a remote attacker to bypass security checks.

This vulnerability affects the following Next.js versions:

Next.js 15.x versions prior to 15.2.3
Next.js 14.x versions prior to 14.2.25
Next.js 13.x versions prior to 13.5.9
Next.js 12.x versions prior to 12.3.5

The NCSC encourages organisations in New Zealand that use the affected product to review the vendor advisory (external link)and apply the remediation as soon as possible.

Received an alert or advisory from both CERT NZ and NCSC? At present, we use both brands and a range of distribution mechanisms to ensure everyone continues to receive the information they need. Behind the scenes, our teams continue to work together to share insights and align our guidance.

For more NCSC NZ updates, follow(external link) us on LinkedIn.

Latest headlines

Cyber Security Alert: CVE affecting Erlang/OTP SSH

Cyber Security Alert: CVEs affecting Fortinet FortiOS products

Joint Advisory: MOONSHINE and BADBAZAAR spyware targeting communities and groups

Cyber Security Alert: CVE affecting CrushFTP