Deep Runtime Evidence & Function-Level Visibility

The Problem with Traditional SCA

Most SCA solutions rely on static analysis of package manifests (e.g., package.json or pom.xml). They alert you when your project depends on a version of Next.js (or any other component) that has a known vulnerability, like CVE-2025-29927. However, these tools:

1. Don’t differentiate used vs. unused code – They only identify the version is present, not whether the specific vulnerable functions are called.
   
2. Lack runtime context – They can’t show you if or how the vulnerability might be triggered by real-world traffic.
   
3. Generate broad, often noisy reports – Developers see many “critical” alerts, but it’s unclear which ones are genuinely dangerous in a given environment.

This disconnect leads to over-prioritization of certain vulnerabilities while real threats may lurk in plain sight. Security teams need more concrete, runtime-aware data to effectively triage and respond to vulnerabilities.

Kodem’s Deep Runtime Evidence

Kodem’s deep runtime evidence closes this visibility gap by continuously monitoring the behavior of running applications. When Kodem identifies a vulnerability in your environment—such as CVE-2025-29927—it goes beyond stating “Next.js 13.5.2 is present” and answers crucial questions like:

• Which processes are loading the affected code?
  
• Is the vulnerable function or class actually being called?
  
• What container image and environment are involved?
  
• When (and how frequently) does the invocation occur?
  

By gathering runtime data, Kodem pinpoints the exact conditions under which a vulnerable code path is loaded and executed. This information enables development and security teams to focus on vulnerabilities that pose an immediate, real risk—rather than chasing every theoretical possibility.

Function-Level Visibility: The Key to Exploitability

A standout feature of Kodem is function-level visibility. Instead of treating a library as one black box, Kodem drills down to specific methods or classes implicated in a CVE. For CVE-2025-29927, Kodem identifies the exact Next.js Middleware routines that can be manipulated via the x-middleware-subrequest header. It tracks whether the vulnerable function is invoked by real traffic in your production environment.

In practice, Kodem hooks into your application’s execution in a minimally invasive manner (by subscribing to events written to the kernel using eBPF and confirming them using memory analysis). When Kodem sees a function call being executed that triggers the CVE, it records the event and collects the following information to identify the root cause:

• Timestamp of the invocation.
  
• Process (and PID) that loaded the code.
  
• Container image in which the process runs.
  
• Environment (development, staging, production) where the function is triggered.
  

This granularity reveals whether your code is genuinely susceptible to attacks like the Next.js middleware bypass, and whether it’s happening in real time.

Real-World Example: CVE-2025-29927 in Next.js

Take a look at the screenshot below:

Here, Kodem has flagged the “Improper Authorization” vulnerability tied to CVE-2025-29927. The key evidence indicates that the vulnerable files are running, in this case, dist/server/lib/server-ipc/utils.js—and identifies the specific image deployed in production. By correlating this file to the Next.js Middleware vulnerability, Kodem confirms that:

1. The vulnerable function is part of the runtime code in this container image.
   
2. The application is actively using (i.e., calling) the code path associated with CVE-2025-29927.
   

With that knowledge, teams have a direct path to remediation: they can prioritize upgrading to a patched Next.js version or implement a temporary fix (e.g., stripping the x-middleware-subrequest header in a reverse proxy) to ensure the vulnerability cannot be exploited. This is a stark contrast to a scenario where a static SCA alert simply states “Next.js v13.5.2 is vulnerable” without confirming whether the relevant function is ever invoked.

How Kodem’s Insights Help You

1. Pinpoint Actual Exposure – Kodem shows exactly where and when the vulnerable code is loaded, so you know if an attacker can reach it.
   
2. Accelerate Remediation – By showing runtime calls, Kodem helps prioritize patches for code that truly poses a risk.
   
3. Streamline Triage – Developers and security teams don’t waste time on theoretical vulnerabilities that aren’t even in use.
   
4. Enable Faster Incident Response – In the event of an exploit attempt, Kodem’s real-time monitoring can detect suspicious calls, aiding in quick containment.
   
5. Improve Auditing and Compliance – Detailed, real-time evidence of code usage provides a verifiable audit trail for security reviews.
   

Conclusion

Deep runtime evidence and function-level visibility are game-changers in modern vulnerability management. Kodem’s approach transforms raw SCA alerts into actionable intelligence, revealing not just that a component is vulnerable, but whether that vulnerability is truly exploitable in your specific environment.

By applying these capabilities to critical issues like CVE-2025-29927 in Next.js, Kodem empowers security teams to make data-driven decisions—reserving their highest urgency for vulnerabilities confirmed to be active in production. The result is a more efficient, precise, and proactive security posture that leaves no blind spots for attackers to exploit.

‍