---
title: "Next-js | Netlify Changelog"
description: "Get the latest updates on Netlify products and features to meet your developer needs."
source: "https://www.netlify.com/changelog/tag/next-js/"
last_updated: "2026-07-15T04:57:25.000Z"
---
# Posts tagged "Next-js"

All Tags Agent-runners AI Ai-gateway Angular Astro AX Build CLI Database Design Devtools Domains E-commerce Extensions Forms Framework Functions Logs Next.js Nuxt.js Remix SDK Security Updates Workflow  [Subscribe to feed](https://www.netlify.com/changelog/tag/next-js/feed.xml)

-   [
    
    ## Security Update: Multiple vulnerabilities in Next.js and React
    
    ](/changelog/2026-05-08-react-nextjs-security-vulnerabilities/)
    
    May 8, 2026
    
    -   [security](/changelog/tag/security/)
    -   [next.js](/changelog/tag/next-js/)
    
    The Next.js and React teams have disclosed [twelve security vulnerabilities](https://github.com/vercel/next.js/security): one in React Server Components and eleven in Next.js, all patched on May 6, 2026, plus a follow-up advisory on May 7. The issues span middleware/proxy bypass, cross-site scripting (XSS), server-side request forgery (SSRF), cache poisoning, and denial of service (DoS). No detailed proof-of-concept information has been published. Here’s what Netlify customers need to know.
    
    ## Summary
    
    If you run Next.js on Netlify, **we strongly recommend upgrading `next` to 15.5.18 or 16.2.6** and redeploying. This also brings in the patched React Server Components dependency. Projects using Pages Router with i18n and Next.js Middleware / Proxy also need [OpenNext Netlify Next.js adapter v5.15.11](https://github.com/opennextjs/opennextjs-netlify/releases/tag/v5.15.11). If you use `react-server-dom-*` outside of Next.js, upgrade to 19.0.6 / 19.1.7 / 19.2.6 matching your React minor. See [What should I do?](#what-should-i-do) for full steps.
    
    Netlify’s platform is **not** vulnerable to several of these CVEs. Image Optimization, WebSocket SSRF, RSC cache poisoning, and the cache-poisoned-redirect bypass do not affect Netlify projects. See [Impact on Netlify](#impact-on-netlify) for the per-CVE verdict.
    
    ## Vulnerabilities
    
    ### React (`react-server-dom-*`)
    
    This affects `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`. The Next.js advisory [GHSA-8h8q-6873-q5fj](https://github.com/vercel/next.js/security/advisories/GHSA-8h8q-6873-q5fj) tracks the same issue downstream.
    
    Vulnerability
    
    Severity
    
    Affected versions
    
    Fixed in
    
    [GHSA-rv78-f8rc-xrxh](https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh) — DoS in Server Components ([CVE-2026-23870](https://www.cve.org/CVERecord?id=CVE-2026-23870))
    
    High
    
    19.0.0–19.0.5, 19.1.0–19.1.6, 19.2.0–19.2.5
    
    19.0.6, 19.1.7, 19.2.6
    
    ### Next.js
    
    All Next.js issues are patched in **15.5.18** and **16.2.6**. Earlier minors of 15.x and 16.x will not be patched; affected projects must upgrade to a patched minor.
    
    Vulnerability
    
    Severity
    
    Affected versions
    
    [GHSA-8h8q-6873-q5fj](https://github.com/vercel/next.js/security/advisories/GHSA-8h8q-6873-q5fj) — DoS with Server Components
    
    High
    
    ≥13.0.0
    
    [GHSA-267c-6grr-h53f](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f) — Middleware / Proxy bypass in App Router via segment-prefetch routes
    
    High
    
    ≥15.2.0
    
    [GHSA-26hh-7cqf-hhc6](https://github.com/vercel/next.js/security/advisories/GHSA-26hh-7cqf-hhc6) — Follow-up to [GHSA-267c-6grr-h53f](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f): incomplete fix for `middleware.ts` with Turbopack
    
    High
    
    ≥15.2.0
    
    [GHSA-mg66-mrh9-m8jx](https://github.com/vercel/next.js/security/advisories/GHSA-mg66-mrh9-m8jx) — DoS via connection exhaustion in apps using Cache Components
    
    High
    
    ≥15.0.0 (apps using Cache Components)
    
    [GHSA-492v-c6pp-mqqv](https://github.com/vercel/next.js/security/advisories/GHSA-492v-c6pp-mqqv) — Middleware / Proxy bypass through dynamic route parameter injection
    
    High
    
    ≥15.4.0
    
    [GHSA-c4j6-fc7j-m34r](https://github.com/vercel/next.js/security/advisories/GHSA-c4j6-fc7j-m34r) — SSRF in applications using WebSocket upgrades
    
    High
    
    ≥13.4.13
    
    [GHSA-36qx-fr4f-26g5](https://github.com/vercel/next.js/security/advisories/GHSA-36qx-fr4f-26g5) — Middleware / Proxy bypass in Pages Router applications using i18n
    
    High
    
    ≥12.2.0
    
    [GHSA-ffhc-5mcf-pf4q](https://github.com/vercel/next.js/security/advisories/GHSA-ffhc-5mcf-pf4q) — XSS in App Router applications using CSP nonces
    
    Medium
    
    ≥13.4.0
    
    [GHSA-gx5p-jg67-6x7h](https://github.com/vercel/next.js/security/advisories/GHSA-gx5p-jg67-6x7h) — XSS in `beforeInteractive` scripts with untrusted input
    
    Medium
    
    ≥13.0.0
    
    [GHSA-h64f-5h5j-jqjh](https://github.com/vercel/next.js/security/advisories/GHSA-h64f-5h5j-jqjh) — DoS in the Image Optimization API
    
    Medium
    
    ≥10.0.0
    
    [GHSA-wfc6-r584-vfw7](https://github.com/vercel/next.js/security/advisories/GHSA-wfc6-r584-vfw7) — Cache poisoning in React Server Component responses
    
    Medium
    
    ≥14.2.0
    
    [GHSA-vfv6-92ff-j949](https://github.com/vercel/next.js/security/advisories/GHSA-vfv6-92ff-j949) — Cache poisoning via collisions in React Server Component cache-busting
    
    Low
    
    ≥13.4.6
    
    [GHSA-3g8h-86w9-wvmq](https://github.com/vercel/next.js/security/advisories/GHSA-3g8h-86w9-wvmq) — Middleware / Proxy redirects can be cache-poisoned
    
    Low
    
    ≥12.2.0
    
    ## Impact on Netlify
    
    ### Denial of service
    
    [GHSA-8h8q-6873-q5fj](https://github.com/vercel/next.js/security/advisories/GHSA-8h8q-6873-q5fj) and [GHSA-mg66-mrh9-m8jx](https://github.com/vercel/next.js/security/advisories/GHSA-mg66-mrh9-m8jx) are server-side denial-of-service (DoS) vulnerabilities. On Netlify, these have **minimal impact**: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your function costs. Note that Cache Components ([GHSA-mg66-mrh9-m8jx](https://github.com/vercel/next.js/security/advisories/GHSA-mg66-mrh9-m8jx)) is an opt-in Next.js feature that is not enabled by default. Upgrading Next.js resolves both.
    
    [GHSA-h64f-5h5j-jqjh](https://github.com/vercel/next.js/security/advisories/GHSA-h64f-5h5j-jqjh) affects the Next.js Image Optimization API. Netlify projects are **not affected**: this Next.js code path is not used on Netlify — image optimization is handled by [Netlify Image CDN](https://docs.netlify.com/build/image-cdn/overview/), a separate service that runs outside your project’s functions with its own protections against this class of issue.
    
    ### Middleware / proxy bypass
    
    These four CVEs affect Next.js middleware and proxy routing. Because Netlify runs Next.js middleware via our own edge function adapter, the impact varies per CVE:
    
    -   [GHSA-3g8h-86w9-wvmq](https://github.com/vercel/next.js/security/advisories/GHSA-3g8h-86w9-wvmq) (cache-poisoned redirects): Netlify projects are **not affected**. Our OpenNext Netlify Next.js adapter already varies cached responses on the `x-nextjs-data` header.
    -   [GHSA-492v-c6pp-mqqv](https://github.com/vercel/next.js/security/advisories/GHSA-492v-c6pp-mqqv) (dynamic route parameter injection): Netlify projects are **affected**, and the upstream Next.js fix applies. Upgrading Next.js resolves the issue.
    -   [GHSA-36qx-fr4f-26g5](https://github.com/vercel/next.js/security/advisories/GHSA-36qx-fr4f-26g5) (Pages Router i18n bypass): Netlify projects using Pages Router with i18n and Next.js Middleware / Proxy are **affected**. The upstream Next.js patch alone does not resolve this on Netlify; a Netlify-specific fix shipped in [OpenNext Netlify Next.js adapter v5.15.11](https://github.com/opennextjs/opennextjs-netlify/releases/tag/v5.15.11). See [how to upgrade](#what-should-i-do) below.
    -   [GHSA-267c-6grr-h53f](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f) (App Router segment-prefetch bypass) and [GHSA-26hh-7cqf-hhc6](https://github.com/vercel/next.js/security/advisories/GHSA-26hh-7cqf-hhc6) (follow-up): Netlify projects are **affected**, and the upstream Next.js fix applies. Upgrading Next.js resolves both.
    
    ### Cross-site scripting
    
    [GHSA-ffhc-5mcf-pf4q](https://github.com/vercel/next.js/security/advisories/GHSA-ffhc-5mcf-pf4q) and [GHSA-gx5p-jg67-6x7h](https://github.com/vercel/next.js/security/advisories/GHSA-gx5p-jg67-6x7h) are client-side XSS vulnerabilities. Regardless of hosting provider, all apps using CSP nonces in App Router or passing untrusted input to `beforeInteractive` scripts may be **vulnerable**. Upgrade Next.js to remediate.
    
    ### Server-side request forgery
    
    [GHSA-c4j6-fc7j-m34r](https://github.com/vercel/next.js/security/advisories/GHSA-c4j6-fc7j-m34r) affects applications using WebSocket upgrades. Netlify projects are **not affected**: Netlify Functions and Edge Functions do not support WebSocket upgrades, so this Next.js code path cannot be exercised on Netlify.
    
    ### Cache poisoning
    
    [GHSA-wfc6-r584-vfw7](https://github.com/vercel/next.js/security/advisories/GHSA-wfc6-r584-vfw7) and [GHSA-vfv6-92ff-j949](https://github.com/vercel/next.js/security/advisories/GHSA-vfv6-92ff-j949) affect React Server Component response caching. Netlify projects are **not affected**: Netlify’s CDN does not rely on the `_rsc` cache-busting query parameter (so collisions in it cannot poison cache entries), and it honors `Vary` on RSC-related request headers.
    
    ## What should I do?
    
    We strongly recommend upgrading as soon as possible to patched releases:
    
    -   **Next.js projects:** upgrade `next` to 15.5.18 or 16.2.6. This bundles the patched React Server Components dependency, so a separate `react-server-dom-*` upgrade is not needed.
    -   **Direct `react-server-dom-*` users** (React Router RSC, Vite RSC plugin, custom RSC setups): upgrade `react-server-dom-webpack`, `react-server-dom-parcel`, or `react-server-dom-turbopack` to 19.0.6, 19.1.7, or 19.2.6 — matching your React minor.
    
    For Next.js 13.x and 14.x users: patches are not planned for these versions. Consider upgrading to Next.js 15.x or 16.x.
    
    For projects using Pages Router with i18n and Next.js Middleware / Proxy ([GHSA-36qx-fr4f-26g5](https://github.com/vercel/next.js/security/advisories/GHSA-36qx-fr4f-26g5)), the upstream Next.js fix does not fully apply on Netlify. The fix ships in [OpenNext Netlify Next.js adapter v5.15.11](https://github.com/opennextjs/opennextjs-netlify/releases/tag/v5.15.11):
    
    -   Auto-installed adapter (default): redeploy.
    -   Manually installed adapter: upgrade `@netlify/plugin-nextjs` to v5.15.11 and redeploy. We recommend [not pinning the adapter version](https://docs.netlify.com/build/frameworks/framework-setup-guides/nextjs/overview/#how-netlify-runs-your-nextjs-app) so future fixes ship automatically.
    
    Note that any publicly available deploy previews and branch deploys may remain vulnerable until they are [automatically deleted](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#automatic-deploy-deletion). Consider [deleting these deploys manually](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#manual-deploy-deletion-through-the-netlify-ui).
    
    ## Resources
    
    -   [React security advisory (GHSA-rv78-f8rc-xrxh)](https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh)
    -   [CVE-2026-23870](https://www.cve.org/CVERecord?id=CVE-2026-23870)
    -   [Next.js security advisories](https://github.com/vercel/next.js/security)
    
    [Permalink to Security Update: Multiple vulnerabilities in Next.js and React Permalink](/changelog/2026-05-08-react-nextjs-security-vulnerabilities/)
    
-   [
    
    ## Security Update: DoS vulnerability in Next.js and React Server Components
    
    ](/changelog/2026-04-08-react-nextjs-dos-vulnerability/)
    
    April 8, 2026
    
    -   [security](/changelog/tag/security/)
    -   [next.js](/changelog/tag/next-js/)
    
    A denial-of-service (DoS) vulnerability ([CVE-2026-23869](https://www.cve.org/CVERecord?id=CVE-2026-23869), CVSS 7.5) has been disclosed affecting React Server Components (RSCs), a feature used by Next.js and other React metaframeworks. A malicious payload can cause excessive CPU consumption. Here’s what Netlify customers need to know.
    
    ## Impact on Netlify
    
    Nominally, this is a server-side DoS vulnerability. However, **on Netlify this has minimal impact**: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your function costs.
    
    ## Affected frameworks
    
    All RSC frameworks are affected:
    
    -   **Next.js** (see version table below)
    -   React Router 7 (if using RSC preview)
    -   Waku
    -   `@parcel/rsc`
    -   `@vitejs/plugin-rsc`
    
    Astro, Gatsby, and Remix are not affected.
    
    ### React affected versions
    
    See the [React advisory](https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg) for full details.
    
    Affected versions
    
    Fixed in
    
    19.0.0–19.0.4
    
    19.0.5
    
    19.1.0–19.1.5
    
    19.1.6
    
    19.2.0–19.2.4
    
    19.2.5
    
    ### Next.js affected versions
    
    See the [Next.js advisory](https://github.com/vercel/next.js/security/advisories/GHSA-q4gf-8mx6-v5v3) for full details.
    
    Affected versions
    
    Fixed in
    
    13.3.0+
    
    EOL - no fix
    
    14.x
    
    EOL - no fix
    
    15.0.0–15.5.14
    
    15.5.15
    
    16.0.0–16.2.2
    
    16.2.3
    
    ## What should I do?
    
    If any of your projects are using an affected version, we recommend upgrading as soon as possible to a patched release.
    
    For Next.js 13.x and 14.x users: patches are not planned for these versions. Consider upgrading to Next.js 15.x or 16.x.
    
    Note that any publicly available deploy previews and branch deploys may remain vulnerable until they are [automatically deleted](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#automatic-deploy-deletion). Consider [deleting these deploys manually](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#manual-deploy-deletion-through-the-netlify-ui).
    
    ## Resources
    
    -   [React CVE-2026-23869](https://www.cve.org/CVERecord?id=CVE-2026-23869)
    -   [React security advisory](https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg)
    -   [Next.js security advisory](https://github.com/vercel/next.js/security/advisories/GHSA-q4gf-8mx6-v5v3)
    
    [Permalink to Security Update: DoS vulnerability in Next.js and React Server Components Permalink](/changelog/2026-04-08-react-nextjs-dos-vulnerability/)
    
-   [
    
    ## Security Update: DoS vulnerability in Next.js and React Server Components
    
    ](/changelog/2026-01-26-react-nextjs-dos-vulnerability/)
    
    January 26, 2026
    
    -   [security](/changelog/tag/security/)
    -   [next.js](/changelog/tag/next-js/)
    
    A denial-of-service (DoS) vulnerability ([CVE-2026-23864](https://www.cve.org/CVERecord?id=CVE-2026-23864), CVSS 7.5) has been disclosed affecting React Server Components (RSCs), a feature used by Next.js and other React metaframeworks. A malicious payload can cause memory exhaustion or excessive CPU consumption. Next.js has also disclosed two unrelated medium-severity CVEs ([CVE-2025-59471](https://www.cve.org/CVERecord?id=CVE-2025-59471), [CVE-2025-59472](https://www.cve.org/CVERecord?id=CVE-2025-59472)) patched in the same releases. Here’s what Netlify customers need to know.
    
    ## Impact on Netlify
    
    Nominally, this is a server-side DoS vulnerability. However, **on Netlify this has minimal impact**: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your function costs.
    
    ## Affected frameworks
    
    All RSC frameworks are affected:
    
    -   **Next.js** (see version table below)
    -   React Router 7 (if using RSC preview)
    -   Waku
    -   `@parcel/rsc`
    -   `@vitejs/plugin-rsc`
    
    Astro, Gatsby, and Remix are not affected.
    
    ### React affected versions
    
    See the [React blog post](https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components) for full details.
    
    Affected versions
    
    Fixed in
    
    19.0.0–19.0.3
    
    19.0.4
    
    19.1.0–19.1.4
    
    19.1.5
    
    19.2.0–19.2.3
    
    19.2.4
    
    ### Next.js affected versions
    
    See the [Next.js advisory](https://github.com/vercel/next.js/security/advisories/GHSA-h25m-26qc-wcjf) for full details.
    
    Affected versions
    
    Fixed in
    
    13.3.0+
    
    EOL - no fix
    
    14.x
    
    EOL - no fix
    
    15.0.0–15.0.7
    
    15.0.8
    
    15.1.0–15.1.10
    
    15.1.11
    
    15.2.0–15.2.8
    
    15.2.9
    
    15.3.0–15.3.8
    
    15.3.9
    
    15.4.0–15.4.10
    
    15.4.11
    
    15.5.0–15.5.9
    
    15.5.10
    
    15.x canaries
    
    15.6.0-canary.61
    
    16.0.0–16.0.10
    
    16.0.11
    
    16.1.0–16.1.4
    
    16.1.5
    
    16.x canaries
    
    16.2.0-canary.9
    
    ## What should I do?
    
    If any of your projects are using an affected version, we recommend upgrading as soon as possible to a patched release.
    
    For Next.js 13.x and 14.x users: patches are not planned for these versions. Consider upgrading to Next.js 15.x or 16.x.
    
    Note that any publicly available deploy previews and branch deploys may remain vulnerable until they are [automatically deleted](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#automatic-deploy-deletion). Consider [deleting these deploys manually](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#manual-deploy-deletion-through-the-netlify-ui).
    
    ## Resources
    
    -   [React CVE-2026-23864](https://www.cve.org/CVERecord?id=CVE-2026-23864)
    -   [React blog post](https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components)
    -   [Next.js security advisory](https://github.com/vercel/next.js/security/advisories/GHSA-h25m-26qc-wcjf)
    
    [Permalink to Security Update: DoS vulnerability in Next.js and React Server Components Permalink](/changelog/2026-01-26-react-nextjs-dos-vulnerability/)
    
-   [
    
    ## Action required: React/Next.js CVE-2025-55184 and CVE-2025-55183
    
    ](/changelog/2025-12-11-action-required-two-more-react-nextjs-vulns/)
    
    December 11, 2025
    
    -   [security](/changelog/tag/security/)
    -   [next.js](/changelog/tag/next-js/)
    
    **Update (2025-12-12 00:41 UTC):** The React and Next.js patches initially published on Dec. 11 at 21:10 incompletely addressed the vulnerabilities. A [follow-up CVE was issued](https://www.cve.org/CVERecord?id=CVE-2025-67779) and follow-up patches have been released by the React and Next.js teams. All versions below have been updated accordingly. If you upgraded during this 3.5-hour window, please upgrade again.
    
    * * *
    
    Following [last week’s critical vulnerability in React and Next.js](https://www.netlify.com/changelog/2025-12-03-react-security-vulnerability-response/), two additional vulnerabilities are being publicly disclosed today:
    
    -   [**CVE-2025-55184:** Denial of Service (CVSS 7.5/10, high severity)](https://www.cve.org/CVERecord?id=CVE-2025-55184)
        -   A malicious actor can send a request that makes the Next.js server hang.
        -   On Netlify, this type of request gets interrupted by a timeout after 30–40 seconds. As Next.js on Netlify runs on automatically scaled serverless functions, there is no risk of impact to legitimate requests. However, this can have impacts to your monthly bill due to increased bandwidth and function CPU usage.
    -   [**CVE-2025-55183:** Leaking Server Functions (CVSS 5.3/10, medium severity)](https://www.cve.org/CVERecord?id=CVE-2025-55184)
        -   A malicious actor can send a request that leaks the compiled body of a given Server Function/Action.
    
    ## Impact
    
    In both cases, [all Next.js sites using App Router are vulnerable](https://nextjs.org/blog/security-update-2025-12-11). This includes all v14 releases up to and including 14.2.33, all v15 releases up to and including 15.5.7, all v16 releases up to and including 16.0.8, and v13.4+ if opted into the `experimental.serverActions` flag. (In the case of CVE-2025-55183, only sites actually _using_ any Server Actions are vulnerable.)
    
    We have collaborated with the React and Next.js teams to roll out mitigations to the Netlify network in advance of public disclosure.
    
    However, as we’ve seen in the past week, malicious actors around the world are constantly working to quickly identify novel ways to exploit newly published vulnerabilities. The best protection is to upgrade.
    
    ## What should I do?
    
    **Upgrade as soon as possible**. Both vulnerabilities are patched in all these releases:
    
    -   Next.js 14.2.35
    -   Next.js 15.0.7, 15.1.11, 15.2.8, 15.3.8, 15.4.10, or 15.5.9
    -   Next.js 16.0.10
    
    As [Next.js 13 has been unsupported for over a year](https://nextjs.org/support-policy), the Next.js team has chosen not to patch it. If your site uses Next.js 13.4+ and has opted in to the `experimental.serverActions` flag, we strongly recommend upgrading to 14.2.34 or later as soon as possible (note: v14 is also technically unsupported).
    
    To be abundantly clear: if you have upgraded to address last week’s CVE, **you must upgrade once again**.
    
    ## Other RSC frameworks
    
    [These are React vulnerabilities](https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components), in the [React Server Functions protocol](https://react.dev/reference/rsc/server-functions) present in all versions of React 19 up to and including 19.2.1.
    
    The following RSC implementations are therefore vulnerable: `waku`, `@parcel/rsc`, `@vitejs/plugin-rsc`, `react-server-dom-parcel`, `react-server-dom-webpack`, `react-server-dom-turbopack`, and the React Router 7 RSC preview.
    
    If you are using any of these, upgrade it to the latest version and upgrade `react` to 19.0.3, 19.1.4, or 19.2.3 as soon as possible.
    
    ## Resources
    
    -   [React disclosures](https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components)
    -   [Next.js disclosures](https://nextjs.org/blog/security-update-2025-12-11)
    
    * * *
    
    We are working continually with the React and Next.js teams and are committed to keeping your sites secure on Netlify.
    
    _This post was last updated on 2025-12-11 at 21:15 UTC_
    
    [Permalink to Action required: React/Next.js CVE-2025-55184 and CVE-2025-55183 Permalink](/changelog/2025-12-11-action-required-two-more-react-nextjs-vulns/)
    
-   [
    
    ## Netlify’s response to the critical React & Next.js security vulnerability
    
    ](/changelog/2025-12-03-react-security-vulnerability-response/)
    
    December 3, 2025
    
    -   [security](/changelog/tag/security/)
    -   [next.js](/changelog/tag/next-js/)
    
    **Update (2025-12-08 22:45 UTC):** Sites that have not yet upgraded to a patched version of Next.js (or other affected framework) must upgrade immediately. Following upgrade, we also recommend rotating all credentials that are [scoped for access within Netlify Functions](https://docs.netlify.com/build/functions/environment-variables/#declare-variables), if you have been running a vulnerable version on or after December 4th, 2025 at 1:00 PM PT.
    
    Over the last many days, several variants of the original React2Shell exploit have emerged. Netlify is working alongside others in a coordinated industry effort to monitor for exploit variants and has been adjusting our blocking mechanisms accordingly.
    
    In addition to these attack blocking mechanisms, we are now blocking all further deploys for sites using versions of software affected by [CVE-2025-55182](https://www.cve.org/CVERecord?id=CVE-2025-55182) and [CVE-2025-66478](https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp).
    
    **Update (2025-12-06 19:15 UTC):** An official npm package has been released to update affected Next.js apps. Use `npx fix-react2shell-next` to update now. For more information, check the [github repository for `react2shell`](https://github.com/vercel-labs/fix-react2shell-next).
    
    **Update (2025-12-06 15:42 UTC):** As this threat landscape is still evolving in real time, **we advise all customers to immediately upgrade all React and Next.js projects to a patched version**.
    
    **Update (2025-12-06 09:24 UTC):** We have deployed further mitigations for newly discovered exploit vectors.
    
    A critical vulnerability ([CVE-2025-55182](https://www.cve.org/CVERecord?id=CVE-2025-55182)) was recently disclosed in React’s [Server Functions](https://react.dev/reference/rsc/server-functions) protocol, a feature of React Server Components (RSC). React 19.0, 19.1, and 19.2 are affected.
    
    Working closely with the React and Next.js teams, we received early notice and immediately took action to protect our customers.
    
    The vulnerability can be exploited using all RSC implementations, including:
    
    -   Next.js versions 15 and 16, up to and including 15.0.4, 15.1.8, 15.2.5, 15.3.5, 15.4.7, 15.5.6, 16.0.6 ([CVE-2025-66478](https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp))
    -   [React Router RSC Preview](https://reactrouter.com/how-to/react-server-components)
    -   [Vite RSC plugin](https://www.npmjs.com/package/@vitejs/plugin-rsc)
    
    In affected configurations, an attacker could craft a request that allows them to **execute arbitrary code within the context of the victim’s app**.
    
    On December 3, at 14:00 UTC, the Netlify team rolled out a patch that prevents this vulnerability from being exploited on our customers’ sites. Since that time, **all Netlify customers are not vulnerable** to the exploit. We have found **no evidence of exploitation** on any Netlify sites.
    
    **Please upgrade all React and Next.js projects to a patched version immediately**, and, in the case of Next.js, [**allow automatic updates of the OpenNext Netlify Next.js adapter**](https://docs.netlify.com/build/frameworks/framework-setup-guides/nextjs/overview/#nextjs-support-on-netlify).
    
    We are working continually with the React and Next.js teams and are committed to keeping your sites secure on Netlify.
    
    * * *
    
    _This post was last updated on 2025-12-08 at 22:45 UTC_
    
    [Permalink to Netlify’s response to the critical React & Next.js security vulnerability Permalink](/changelog/2025-12-03-react-security-vulnerability-response/)
    
-   [
    
    ## Next.js 16 is ready to deploy on Netlify
    
    ](/changelog/next-js-16-deploy-on-netlify/)
    
    October 21, 2025
    
    -   [framework](/changelog/tag/framework/)
    -   [next.js](/changelog/tag/next-js/)
    
    The [Next.js 16 release](https://nextjs.org/blog/next-16) is here and Netlify is ready.
    
    Deploy the latest version, including Turbopack, React Compiler, and enhanced caching APIs, with zero configuration.
    
    -   Turbopack (stable): Up to 10× faster Fast Refresh and 2-5× faster builds
    -   React Compiler (stable): Automatic memoization for smoother re-renders
    -   Improved caching APIs: `revalidateTag` with `cacheLife` profile argument for Stale-While-Revalidate behavior and Server Actions-only `updateTag` to immediately refresh cached data
    
    **Template update**
    
    We’ve updated the [Next Platform Starter](https://github.com/netlify-templates/next-platform-starter) to v16, showcasing Turbopack and the new caching APIs in action. In our tests, the project saw a 2.8× faster `next build` with Turbopack.
    
    **Upgrading to v16 on Netlify**
    
    If you’re upgrading from v15, no Netlify configuration changes are required. Teams that have opted out of automatic updates for Netlify’s OpenNext adapter will need to [manually upgrade](https://docs.netlify.com/build/frameworks/framework-setup-guides/nextjs/legacy-runtime/upgrading-or-reverting-adapter/#upgrade-to-the-latest-adapter), or simply opt back in to receive automatic updates.
    
    **Resources**
    
    -   [Deploy the demo](https://github.com/netlify-templates/next-platform-starter)
    -   [Read the Next.js 16 release](https://nextjs.org/blog/next-16)
    -   [View Next.js on Netlify docs](https://docs.netlify.com/build/frameworks/framework-setup-guides/nextjs/overview/)
    
    [Permalink to Next.js 16 is ready to deploy on Netlify Permalink](/changelog/next-js-16-deploy-on-netlify/)
    
-   [
    
    ## Security Update: Multiple vulnerabilities in Next.js
    
    ](/changelog/security-update-multiple-vulnerabilities-in-next-js-2025-08/)
    
    August 30, 2025
    
    -   [security](/changelog/tag/security/)
    -   [next.js](/changelog/tag/next-js/)
    
    We are aware of recently disclosed vulnerabilities affecting Next.js applications:
    
    1.  [CVE-2025-55173](https://github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v): **Next.js Image Optimization – Arbitrary File Download**
    2.  [CVE-2025-57822](https://github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f): **Next.js Middleware – SSRF via Misuse of `next()`**
    3.  [CVE-2025-57752](https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v): **Next.js Image Optimization – Cache Poisoning / Unauthorized Disclosure**
    
    As a security precaution, we recommend upgrading to the latest versions of Next.js and enabling [**automatic updates of the OpenNext Netlify Next.js adapter**](https://docs.netlify.com/frameworks/next-js/overview/#reverting-to-an-older-adapter-version).
    
    The engineering team at Netlify has reviewed these and determined the following impact on Netlify sites: \*
    
    1.  [CVE-2025-55173](https://github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v): **Next.js Image Optimization – Arbitrary File Download**
    
    Sites on Netlify **are not vulnerable**.
    
    Next.js sites on Netlify use Netlify’s Image CDN instead of the affected built-in Next.js Image Optimization feature. Furthermore, Netlify Image CDN strips `Content-Disposition` headers, which is required for successful exploitation of this vulnerability. With this header removed it is not possible to force a file download or override the filename, even in case of a mismatch between the requested image type and the source file type.
    
    2.  [CVE-2025-57822](https://github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f): **Next.js Middleware – SSRF via Misuse of `next()`**
    
    Sites on Netlify **are not vulnerable**.
    
    Our OpenNext adapter uses Edge Functions to run middleware and relies on the `context.next()` API as the underlying implementation of `NextResponse.next()` calls, passing the original request URL and preventing this attack vector.
    
    3.  [CVE-2025-57752](https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v): **Next.js Image Optimization – Cache Poisoning / Unauthorized Disclosure**
    
    Next.js sites on Netlify are **potentially vulnerable**, if the sites use the `next/image` component to fetch images from a source that uses headers to conditionally serve images.
    
    Next.js sites using the `next/image` component will automatically opt into Netlify’s Image CDN which, by design, will automatically cache the source assets on Netlify’s Edge Cache. This means that a source image that is served behind an authorization header will get cached on the Netlify Edge Cache in order to improve performance. Upgrading to the newest version of Next.js will not change this behavior.
    
    If your Next.js site serves images from a protected source, we advise you to not use the `next/image` component so that you have full control over the caching and authorization strategies required for your use-case.
    
    We are working continually with the Next.js team and are committed to making your sites secure on Netlify.
    
    [Permalink to Security Update: Multiple vulnerabilities in Next.js Permalink](/changelog/security-update-multiple-vulnerabilities-in-next-js-2025-08/)
    
-   [
    
    ## Security Update: Next.js sites on Netlify not vulnerable to CVE-2025-32421
    
    ](/changelog/security-update-next-js-sites-on-netlify-not-vulnerable-to-cve-2025-32421/)
    
    May 15, 2025
    
    -   [security](/changelog/tag/security/)
    -   [next.js](/changelog/tag/next-js/)
    
    The Next.js team [recently disclosed CVE-2025-32421](https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4), a low-severity vulnerability allowing for CDN cache poisoning in some scenarios.
    
    The engineering team at Netlify has confirmed that all Next.js sites on Netlify **are not vulnerable**. The vulnerability requires use of a CDN that may cache responses without explicit Cache-Control headers, but Netlify’s CDN never does so.
    
    As a general security precaution, we recommend upgrading to the latest versions of the Next.js framework and [allowing automatic updates of the OpenNext Netlify Next.js adapter](https://docs.netlify.com/frameworks/next-js/overview/#reverting-to-an-older-adapter-version).
    
    [Permalink to Security Update: Next.js sites on Netlify not vulnerable to CVE-2025-32421 Permalink](/changelog/security-update-next-js-sites-on-netlify-not-vulnerable-to-cve-2025-32421/)