Posts tagged "Next-js"

Update (2025-12-12 00:41 UTC): The React and Next.js patches initially published on Dec. 11 at 21:10 incompletely addressed the vulnerabilities. A follow-up CVE was issued and follow-up patches have been released by the React and Next.js teams. All versions below have been updated accordingly. If you upgraded during this 3.5-hour window, please upgrade again.

---

Following last week’s critical vulnerability in React and Next.js, two additional vulnerabilities are being publicly disclosed today:

• CVE-2025-55184: Denial of Service (CVSS 7.5/10, high severity)
  • A malicious actor can send a request that makes the Next.js server hang.
  • On Netlify, this type of request gets interrupted by a timeout after 30–40 seconds. As Next.js on Netlify runs on automatically scaled serverless functions, there is no risk of impact to legitimate requests. However, this can have impacts to your monthly bill due to increased bandwidth and function CPU usage.
• CVE-2025-55183: Leaking Server Functions (CVSS 5.3/10, medium severity)
  • A malicious actor can send a request that leaks the compiled body of a given Server Function/Action.

Impact

In both cases, all Next.js sites using App Router are vulnerable. This includes all v14 releases up to and including 14.2.33, all v15 releases up to and including 15.5.7, all v16 releases up to and including 16.0.8, and v13.4+ if opted into the experimental.serverActions flag. (In the case of CVE-2025-55183, only sites actually using any Server Actions are vulnerable.)

We have collaborated with the React and Next.js teams to roll out mitigations to the Netlify network in advance of public disclosure.

However, as we’ve seen in the past week, malicious actors around the world are constantly working to quickly identify novel ways to exploit newly published vulnerabilities. The best protection is to upgrade.

What should I do?

Upgrade as soon as possible. Both vulnerabilities are patched in all these releases:

• Next.js 14.2.35
• Next.js 15.0.7, 15.1.11, 15.2.8, 15.3.8, 15.4.10, or 15.5.9
• Next.js 16.0.10

As Next.js 13 has been unsupported for over a year, the Next.js team has chosen not to patch it. If your site uses Next.js 13.4+ and has opted in to the experimental.serverActions flag, we strongly recommend upgrading to 14.2.34 or later as soon as possible (note: v14 is also technically unsupported).

To be abundantly clear: if you have upgraded to address last week’s CVE, you must upgrade once again.

Other RSC frameworks

These are React vulnerabilities, in the React Server Functions protocol present in all versions of React 19 up to and including 19.2.1.

The following RSC implementations are therefore vulnerable: waku, @parcel/rsc, @vitejs/plugin-rsc, react-server-dom-parcel, react-server-dom-webpack, react-server-dom-turbopack, and the React Router 7 RSC preview.

If you are using any of these, upgrade it to the latest version and upgrade react to 19.0.3, 19.1.4, or 19.2.3 as soon as possible.

Resources

• React disclosures
• Next.js disclosures

---

We are working continually with the React and Next.js teams and are committed to keeping your sites secure on Netlify.

This post was last updated on 2025-12-11 at 21:15 UTC

Update (2025-12-08 22:45 UTC): Sites that have not yet upgraded to a patched version of Next.js (or other affected framework) must upgrade immediately. Following upgrade, we also recommend rotating all credentials that are scoped for access within Netlify Functions, if you have been running a vulnerable version on or after December 4th, 2025 at 1:00 PM PT.

Over the last many days, several variants of the original React2Shell exploit have emerged. Netlify is working alongside others in a coordinated industry effort to monitor for exploit variants and has been adjusting our blocking mechanisms accordingly.

In addition to these attack blocking mechanisms, we are now blocking all further deploys for sites using versions of software affected by CVE-2025-55182 and CVE-2025-66478.

Update (2025-12-06 19:15 UTC): An official npm package has been released to update affected Next.js apps. Use npx fix-react2shell-next to update now. For more information, check the github repository for react2shell.

Update (2025-12-06 15:42 UTC): As this threat landscape is still evolving in real time, we advise all customers to immediately upgrade all React and Next.js projects to a patched version.

Update (2025-12-06 09:24 UTC): We have deployed further mitigations for newly discovered exploit vectors.

A critical vulnerability (CVE-2025-55182) was recently disclosed in React’s Server Functions protocol, a feature of React Server Components (RSC). React 19.0, 19.1, and 19.2 are affected.

Working closely with the React and Next.js teams, we received early notice and immediately took action to protect our customers.

The vulnerability can be exploited using all RSC implementations, including:

• Next.js versions 15 and 16, up to and including 15.0.4, 15.1.8, 15.2.5, 15.3.5, 15.4.7, 15.5.6, 16.0.6 (CVE-2025-66478)
• React Router RSC Preview
• Vite RSC plugin

In affected configurations, an attacker could craft a request that allows them to execute arbitrary code within the context of the victim’s app.

On December 3, at 14:00 UTC, the Netlify team rolled out a patch that prevents this vulnerability from being exploited on our customers’ sites. Since that time, all Netlify customers are not vulnerable to the exploit. We have found no evidence of exploitation on any Netlify sites.

Please upgrade all React and Next.js projects to a patched version immediately, and, in the case of Next.js, allow automatic updates of the OpenNext Netlify Next.js adapter.

We are working continually with the React and Next.js teams and are committed to keeping your sites secure on Netlify.

---

This post was last updated on 2025-12-08 at 22:45 UTC

The Next.js 16 release is here and Netlify is ready.

Deploy the latest version, including Turbopack, React Compiler, and enhanced caching APIs, with zero configuration.

• Turbopack (stable): Up to 10× faster Fast Refresh and 2-5× faster builds
• React Compiler (stable): Automatic memoization for smoother re-renders
• Improved caching APIs: revalidateTag with cacheLife profile argument for Stale-While-Revalidate behavior and Server Actions-only updateTag to immediately refresh cached data

Template update

We’ve updated the Next Platform Starter to v16, showcasing Turbopack and the new caching APIs in action. In our tests, the project saw a 2.8× faster next build with Turbopack.

Upgrading to v16 on Netlify

If you’re upgrading from v15, no Netlify configuration changes are required. Teams that have opted out of automatic updates for Netlify’s OpenNext adapter will need to manually upgrade, or simply opt back in to receive automatic updates.

Resources

• Deploy the demo
• Read the Next.js 16 release
• View Next.js on Netlify docs

We are aware of recently disclosed vulnerabilities affecting Next.js applications:

1. CVE-2025-55173: Next.js Image Optimization – Arbitrary File Download
2. CVE-2025-57822: Next.js Middleware – SSRF via Misuse of next()
3. CVE-2025-57752: Next.js Image Optimization – Cache Poisoning / Unauthorized Disclosure

As a security precaution, we recommend upgrading to the latest versions of Next.js and enabling automatic updates of the OpenNext Netlify Next.js adapter.

The engineering team at Netlify has reviewed these and determined the following impact on Netlify sites: *

1. CVE-2025-55173: Next.js Image Optimization – Arbitrary File Download

Sites on Netlify are not vulnerable.

Next.js sites on Netlify use Netlify’s Image CDN instead of the affected built-in Next.js Image Optimization feature. Furthermore, Netlify Image CDN strips Content-Disposition headers, which is required for successful exploitation of this vulnerability. With this header removed it is not possible to force a file download or override the filename, even in case of a mismatch between the requested image type and the source file type.

2. CVE-2025-57822: Next.js Middleware – SSRF via Misuse of next()

Sites on Netlify are not vulnerable.

Our OpenNext adapter uses Edge Functions to run middleware and relies on the context.next() API as the underlying implementation of NextResponse.next() calls, passing the original request URL and preventing this attack vector.

3. CVE-2025-57752: Next.js Image Optimization – Cache Poisoning / Unauthorized Disclosure

Next.js sites on Netlify are potentially vulnerable, if the sites use the next/image component to fetch images from a source that uses headers to conditionally serve images.

Next.js sites using the next/image component will automatically opt into Netlify’s Image CDN which, by design, will automatically cache the source assets on Netlify’s Edge Cache. This means that a source image that is served behind an authorization header will get cached on the Netlify Edge Cache in order to improve performance. Upgrading to the newest version of Next.js will not change this behavior.

If your Next.js site serves images from a protected source, we advise you to not use the next/image component so that you have full control over the caching and authorization strategies required for your use-case.

We are working continually with the Next.js team and are committed to making your sites secure on Netlify.

The Next.js team recently disclosed CVE-2025-32421, a low-severity vulnerability allowing for CDN cache poisoning in some scenarios.

The engineering team at Netlify has confirmed that all Next.js sites on Netlify are not vulnerable. The vulnerability requires use of a CDN that may cache responses without explicit Cache-Control headers, but Netlify’s CDN never does so.

As a general security precaution, we recommend upgrading to the latest versions of the Next.js framework and allowing automatic updates of the OpenNext Netlify Next.js adapter.