On March 21, 2025, a critical security vulnerability, CVE-2025-29927, was disclosed by Next.js, allowing potential bypassing of middleware-based authentication and authorization protections in certain applications. While applications not using Next.js or hosted on platforms like Vercel or Netlify are unaffected, those utilizing Clerk's middleware for route protection without directly reading user data could be vulnerable unless they have upgraded to @clerk/[email protected] or higher, released in June 2024. The issue is resolved in specific versions of Next.js, and for those unable to upgrade, preventing external requests with the x-middleware-subrequest header is advised. Clerk acknowledged a mistake in initially announcing that all applications using Clerk were unaffected and apologized, committing to improve their zero-day vulnerability procedures and establishing advance notice protocols with framework authors like Next.js. They have also communicated directly with potentially affected applications' administrators, offering assistance via email and support channels.