Skip to main content
A critical security vulnerability, CVE-2025-29927, was recently discovered in Next.js applications that use middleware in self-hosted environments. This vulnerability could allow attackers to bypass important security checks, potentially compromising your application’s security. As a cloud application platform prioritizing security, Upsun is committed to helping you understand and address this issue promptly.

What is the Vulnerability?

Next.js uses an internal HTTP header, x-middleware-subrequest, to prevent middleware from triggering infinite loops through recursive requests. The security vulnerability, identified in February 2025 and publicly released on March 22, 2025 (Saturday), demonstrated that it’s possible for attackers to:
  1. Skip middleware execution entirely by manipulating request headers
  2. Bypass critical security checks like authentication validation
  3. Access routes that should be protected
This vulnerability is particularly concerning if your application relies on middleware for authorization, authentication, or other security-critical operations.

Am I Affected?

Your Next.js application deployed on Upsun may be vulnerable if:
  • You’re using middleware for security-critical functions (authentication, authorization, etc.)
  • You’re deploying with next start and output: 'standalone' configuration
  • You’re running any of these Next.js versions:
    • Next.js 15.x equal or prior to 15.2.2
    • Next.js 14.x equal or prior to 14.2.23
    • Next.js 13.x equal or prior to 13.5.8
    • Next.js 12.x equal or prior to 12.3.4
Your application is not affected if:
  • You’re deploying your Next.js application as a static export
  • You don’t use middleware for security-critical functions
  • You’ve already updated to a patched version

How to Address the Vulnerability

Update Your Next.js Version

The only straightforward solution is updating your Next.js version to a patched release:
  • For Next.js 15.x: Update to version 15.2.3 or later
  • For Next.js 14.x: Update to version 14.2.25 or later
  • For Next.js 13.x: Update to version 13.5.9 or later
  • For Next.js 12.x: Update to version 12.3.5 or later
Here’s how to update your Next.js dependency: 
npm install next@latest
# or 
yarn upgrade next --latest
# or
pnpm update next --latest
After updating, rebuild and redeploy your application on Upsun: 
git add package.json package-lock.json
git commit -m "Update Next.js to patched version for CVE-2025-29927"
upsun deploy

WAF Protection Options

For additional security, consider implementing Web Application Firewall (WAF) protection:
  • Platform.sh and Upsun Enterprise Customers: If you have the Fastly WAF option enabled, you can open a support ticket requesting a rule to block the vulnerable header. Our security team will implement custom rules to protect your application while ensuring authentication flows remain functional.
  • Cloudflare Users: Cloudflare has released a managed WAF rule to protect against this vulnerability

Verifying Your Fix

After implementing any of the above solutions, you can verify the fix by attempting to access a protected route with a manually crafted request containing the x-middleware-subrequest header. The request should be rejected or should trigger your middleware as expected.

Timeline of the Vulnerability

  • February 27, 2025: Initial disclosure to the Next.js team
  • March 14, 2025: Vulnerability triage and patches pushed
  • March 17-23, 2025: Patched versions released across Next.js versions
  • March 18, 2025: CVE-2025-29927 issued by GitHub
  • March 21, 2025: Security Advisory published
If you’re concerned about this vulnerability or need assistance securing your Next.js application on Upsun, please contact our support team).

Additional Resources

Last modified on April 27, 2026