Regarding CVE-2025-29927 in Relation to Payload CMS 3 #11835
-
|
Payload CMS, since version 3.0, have been running as a pure Next.js project. In regards to recent disclosure. What's the impact of CVE-2025-29927 have on Payload CMS? edit: I've search online and on this repository (issues & discussions) and haven't found an answer or statement regarding this matter. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
Hey @arinanto As far as I'm aware, Payload doesn't actually utilize any middleware at all. The impact of this CVE is probably irrelevant from Payloads perspective. The only risk here is if the developer utilizes middleware in their own applications on top of Payload. That being said, version 3.30.0 was just released which bumps the Next.js peer dep to 15.2.3. Take a look at the note in that release about the impact to Payload. |
Beta Was this translation helpful? Give feedback.
-
|
There's also a blog post now: https://payloadcms.com/posts/blog/a-quick-note-on-the-latest-nextjs-security-patch |
Beta Was this translation helpful? Give feedback.
Hey @arinanto
As far as I'm aware, Payload doesn't actually utilize any middleware at all. The impact of this CVE is probably irrelevant from Payloads perspective. The only risk here is if the developer utilizes middleware in their own applications on top of Payload. That being said, version 3.30.0 was just released which bumps the Next.js peer dep to 15.2.3. Take a look at the note in that release about the impact to Payload.