%20Icon.svg){kind=small}
Get details on this recent vulnerability, how to respond, and how Legit can help.
On Friday, March 21, a critical severity vulnerability was discovered in the popular Next.js framework, allowing authentication bypass in affected applications. This vulnerability has received the identifier “cve-2025-29927" and has since been acknowledged by Vercel and Next.js developers, and is fixed in the following versions: 15.2.3, 14.2.25, 13.5.9, 12.3.5. Some hosting platforms have taken action to secure the applications they host and mitigate the risk for users.
You can read their advisory in Next’s blog post.
Due to the critical nature of the vulnerability and its public disclosure, users of the affected version should act quickly. Often, in cases like these, the moment a vulnerability is disclosed, threat actors spring into action, hunting for vulnerabilities that have yet to be patched.
Applications affected can experience cases where login screens can be bypassed without proper credentials, thus compromising data and users. To remain safe, developers using Next.js version 11 or higher should update their framework to one of the above-mentioned fixed versions. If this is not possible, developers should block user requests with the ‘x-middleware-subrequest'header altogether. Applications hosted on Vercel and Netlify have already had this action taken by the platforms themselves in order to protect users.
How Legit can help
Addressing this vulnerability is no trivial feat, especially for large companies with diverse software libraries and a multitude of development teams. Identifying points of failure, and enforcing software dependency updates, all while looking out for breaking changes and breach attempts, is not easy. Now multiply that by hundreds, thousands, or even tens of thousands of repos, and you might have a problem it would take days to assess, let alone remediate.
This is where the Legit ASPM platform comes in. Using Legit’s discovery and visibility tools, you can easily identify infected areas in your code by creating a query to quickly find the relevant repositories, product units, and teams to resolve issues.
Another point of friction that may affect the response to this vulnerability is the common flood of issues and alerts from different security tools, creating noise and confusion about remediation. Using Legit, issues can be aggregated, prioritized, assigned, and acted upon to solve vulnerabilities in the most efficient manner. These issues are automatically closed once the underlying cause is fixed, meaning teams can easily track progress and move on to the next fix or feature.
To learn more about Legit or this vulnerability, book a demo.