1. Home
  2. Reference documentation
  3. Changelog
  4. 2025
  5. March 2025

Protection from CVE-2025-29927 (Next.js Authorization Bypass Vulnerability)

March 25, 2025
ngwaf-announcementsadded

An authorization bypass vulnerability has been found in Next.js and has been assigned CVE-2025-29927. Fastly has created a virtual patch for it that is now available within your account. To activate it and add protection to your services, follow the steps for your control panel below.

Next-Gen WAF control panel

  1. Professional or Premier platform
  2. Essentials platform

  1. Log in to the Next-Gen WAF control panel.

  2. From the Sites menu, select a site if you have more than one site.

  3. From the Rules menu, select Templated Rules.
  4. In the search bar, enter CVE-2025-29927 and then click View for the CVE-2025-29927 templated rule.
  5. Click Configure and then Add trigger.
  6. Select the Block requests from an IP immediately if the CVE-2025-29927 signal is observed checkbox.
  7. Click Update rule.

Fastly control panel

  1. Log in to the Fastly control panel.

  2. Go to Security > Next-Gen WAF > Workspaces.

  3. Click Virtual Patches.
  4. In the search bar, enter CVE-2025-29927 and then click the pencil to the right of the CVE-2025-29927 virtual patch.
  5. From the Status menu, select Enabled.
  6. (Optional) If your workspace is in blocking mode, choose whether to Block requests or Log requests if the CVE-2025-29927 signal is observed.
  7. Click Update virtual patch.

Prior change: JA4 fingerprinting now supported in Bot Management

Following change: New Bot Signals: SUSPECTED-BOT.AI-CRAWLER, VERIFIED-BOT.AI-CRAWLER, SUSPECTED-BOT.AI-FETCHER, and VERIFIED-BOT.AI-FETCHER

Fastly
© Fastly 2025