Reading time: 5 min read
Next.js Middleware CVE-2025-29927: What Does it Mean for Sitecore Customers?
A Next.js critical vulnerability was disclosed on Friday March 21st 2025. Discover if you are affected and how to protect your websites.
A Next.js critical vulnerability was disclosed on Friday March 21st 2025. Discover if you are affected and how to protect your websites.
Start typing to search...
CVE-2025-29927, you heard it everywhere recently. You are a Sitecore customer using Next.js for your website(s) and you need to know what to do now. This article is for you. We will cover:
CVE-2025-29927 is a critical vulnerability with a score of 9.1/10 in these versions of Next.js:
The vulnerability is in the Next.js middleware feature and how it handles middleware code that sends HTTP requests that could cause an infinite loop of calls.
The vulnerability has been fixed in these Next.js releases:
In general, the possible exploits caused by this vulnerability are:
For Sitecore websites, we can add SXA redirects bypass to this list. This could allow access to pages that should not be publicly accessible at those URLs that should normally be redirected. For example:
/Home/old-page Sitecore page item that is still published./old-page to /new-page./old-page.First, your website is not vulnerable if:
Your website is vulnerable if it meets all these criteria:
next start).To know which version of Next.js your website is using:
package-lock.json file."node_modules/next" (with the double quotes).The JSON object version property is your project Next.js version.
Example of a package-lock.json Next.js version:
{
...
"packages": {
...
"node_modules/next": {
"version": "14.2.16",
...
},
...
}
}
If your website is using Cloudflare as a proxy, one easy way to protect it is to turn on the new opt-in Web Application Firewall (WAF) rule specific to this vulnerability. The rule is opt-in as it could cause issues like failing requests, especially with sites that use auth middleware with third-party auth vendors. Make sure to test your website thoroughly after enabling the rule. Rollback and use another method if necessary.
It should be very rare, but if your website is using Next.js 11.1.4, there is no fixed Next.js release. It is then recommended that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This can be done using the Cloudflare method above or another way.
If your website is using a vulnerable Next.js 12.x, 13.x, 14.x, or 15.x version, a developer on your team can update Next.js to the latest patch for the major version you are using. This guide assumes you have a GitFlow release process with branches and environments for DEV, QA, and PROD. Adjust these steps for your specific solution.
npm update next command.
package.json and package-lock.json files.package.json and package-lock.json files and any other files involved in fixed issues in the CVE-2025-29927 branch.Then, deploy the changes to your DEV environment:
If the tests are going well, continue the release process to QA and PROD. Make sure to test in each environment.
Not a lot of Sitecore headless websites will require a remediation action on your part as most of them are hosted on Vercel or Netlify. If that is not your case, I hope this article was valuable to understand and mitigate the issue.
Happy Sitecoring!