Is CVE-2025-29927 in the CISA Known Exploited Vulnerabilities catalog?

CVE-2025-29927 is not currently listed in the CISA KEV catalog.

Which frameworks does CVE-2025-29927 affect?

CVE-2025-29927 affects Next.js.

Vulnerability intelligence

CVE-2025-29927

Specially crafted query parameters alter dynamic route values while leaving the visible URL path unchanged, bypassing middleware-based authorization in Next.js 13.0 through 15.5.15 and 16.x before 16.2.5. A separate CVE-2026-23869 enables memory exhaustion DoS via React Server Components. Astro, Svelte, and Hugo are not affected.

Next.js 2025

What WebPulse reported · 1 analysis

Next.js Authorization Bypass: A Crafted Query Parameter Changes Your Route Without Changing the URL. CVE-2026-44574.

Specially crafted query parameters alter dynamic route values while leaving the visible URL path unchanged, bypassing middleware-based authorization in Next.js

June 15, 2026

View CVE-2025-29927 on the NIST National Vulnerability Database →

Related vulnerabilities

CVE-2026-23869 CVE-2026-44580 CVE-2026-44578 CVE-2026-44574 CVE-2025-71338 CVE-2025-71336 CVE-2025-71327 CVE-2025-67644