CVE-2025-30218

Description

## Summary In the process of remediating [CVE-2025-29927](https://github.com/advisories/GHSA-f82v-jwr5-mffw), we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers. Learn more [here](https://vercel.com/changelog/cve-2025-30218-5DREmEH765PoeAsrNNQj3O). ## Credit Thank you to Jinseo Kim [kjsman](https://hackerone.com/kjsman?type=user) and [RyotaK](https://hackerone.com/ryotak?type=user) (GMO Flatt Security Inc.) with [takumi-san.ai](https://takumi-san.ai) for the responsible disclosure. These researchers were awarded as part of our bug bounty program.

How to fix CVE-2025-30218

To remediate CVE-2025-30218, upgrade the affected package to a fixed version below.

• —upgrade to 12.3.6 or later

Is CVE-2025-30218 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 12.3.5, < 12.3.6

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-30218
• PATCHgithub.com/vercel/next.js
• WEBgithub.com/vercel/next.js/security/advisories/GHSA-223j-4rm8-mrmf
• WEBvercel.com/changelog/cve-2025-30218-5DREmEH765PoeAsrNNQj3O