Next.js sites on Netlify are NOT vulnerable to CVE-2025-29927 / GHSA-f82v-jwr5-mffw

serhalp · March 22, 2025, 8:26pm

Summary

A critical severity security vulnerability in Next.js was just announced. This allows a malicious actor to bypass authorization middleware in certain cases. All Next.js versions earlier than 14.2.25 or 15.2.3 are theoretically affected.

Fortunately, sites on Netlify are not and have never been affected by this vulnerability.

We’ve added end-to-end tests to the OpenNext Netlify adapter validating this.

Steps to take

There is no action required from you. Sites on Netlify are not affected.

(Optional) For the “trust but verify” folks

If you want to validate this yourself on your own site, follow these steps:

Add a middleware to your site like this one
Deploy this change to Netlify:

netlify deploy --build

Issue a request to your deployed website draft URL with the maliciously crafted request header, e.g.:

curl -I -H 'x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware' https://abc0dc7e858044204d3d6e36--your-site-here.netlify.app

Confirm that you see this response header printed:

x-test-used-middleware: true

If you require additional support, please reach out.

Topic		Replies	Views
New for Next.js: Next.js Runtime Updates nextjs	0	798	August 24, 2022
Site deploy does not reflect the latest change in next.config.js Support nextjs	1	24	October 26, 2024
Rewrite to another nextjs netlify site Support redirects , nextjs	3	491	November 24, 2022
NextJS: Server Side Rendering (Netlify Function) and Securtiy (Load Balancing, Ddos Protection) Support security , nextjs	2	1438	May 25, 2021
Aunthetication issues after deployment in Next.js 14 Support deployment , nextjs	1	532	January 7, 2024

Next.js sites on Netlify are NOT vulnerable to CVE-2025-29927 / GHSA-f82v-jwr5-mffw

Summary

Steps to take

(Optional) For the “trust but verify” folks

Related topics