Skip to main content
Back to blog

Next.js CVE-2025-29927

Category
Company
Published

On March 21, 2025, Next.js disclosed a critical security vulnerability, CVE-2025-29927, that may impact your application.

On March 21, 2025, Next.js disclosed a critical security vulnerability, CVE-2025-29927, that may impact your application.

This vulnerability allows attackers to bypass middleware-based authentication and authorization protections, potentially allowing unauthorized access to your application.

Impacted applications

Important

If your application is not using Next.js, or if it is hosted on Vercel or Netlify, it is not impacted.

Yesterday, we mistakenly announced on X that all applications using Clerk were not impacted. Since then, we have discovered two scenarios where your application may be impacted.

  1. You use Clerk's middleware for protecting routes that do not directly read user data. This is most likely to impact static applications that solely rely on middleware for authentication checks. If you call any of the following methods in routes protected by middleware, your page or endpoint is safe:

    • auth()
    • getAuth()
    • protect()
    • currentUser()

  2. Or, you have not upgraded to @clerk/nextjs@5.2 or higher, which was released in June 2024.

Patching your application

If your application is impacted, the remediation is to upgrade your next package as follows:

  • For Next.js 15.x, this issue is fixed in 15.2.3 forward
  • For Next.js 14.x, this issue is fixed in 14.2.25 forward
  • For Next.js 13.x, this issue is fixed in 13.5.9 forward

If patching to a safe version is infeasible, it is recommended that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. If your application uses Cloudflare, this can safely be accomplished with a Managed WAF rule.

Even if you are not impacted, we strongly recommend that you upgrade to the latest versions of next and @clerk/nextjs.

Additional support is available

We have also sent an email to the administrators of all Clerk applications that are potentially impacted by this vulnerability. If you have questions, need help determining whether your application is at risk, or need help with mitigation, reply to the email you received or reach out directly to

Security at Clerk

Our announcement on X that Clerk applications were not impacted was a significant error. We apologize, and will be reflecting on and improving our procedures for zero-day vulnerabilities to ensure it does not happen again.

Going forward, we are pleased that the Next.js team has committed to giving Clerk advance notice on vulnerabilities. We will be seeking similar relationships with other framework authors.

Authors
Colin Sidoti
Braden Sidoti