Last week, we published CVE-2025-29927 and patched a critical severity vulnerability in Next.js. Here’s our post-incident analysis and next steps. Link to heading Timeline Link to heading 2025-02-27 On 27 Feb 2025 06:03:00 GMT , the vulnerability was disclosed to the Next.js team through GitHub private reporting. The researchers also emailed security@vercel.com . The initial report disclosed the vulnerability in older versions of Next.js (12.x). Due to the old version range, this was given lower priority in our triage queue. Link to heading 2025-03-01 An additional email was sent at 01 Mar 2025 02:00:00 GMT in a new thread, which extended the affected scope to more recent versions. Due to multiple reports submitted and internal conversations, triaging was delayed. Link to heading 2025-03-05 We began investigating the report to understand the validity and potential impact.…