---
title: "Security | Netlify Changelog"
description: "Stay updated with the latest features, fixes, and improvements. Realize the speed, agility and performance of a scalable, composable web architecture with Netlify. Explore the composable web platform now!"
source: "https://www.netlify.com/changelog/tag/security/page/2/"
last_updated: "2026-07-06T08:53:06.000Z"
---
# Posts tagged "Security"

All Tags Agent-runners AI Ai-gateway Angular Astro AX Build CLI Database Design Devtools Domains E-commerce Extensions Forms Framework Functions Logs Next.js Nuxt.js Remix SDK Security Updates Workflow  [Subscribe to feed](https://www.netlify.com/changelog/tag/security/feed.xml)

-   [
    
    ## Security Update: DoS vulnerability in Node.js
    
    ](/changelog/2026-01-16-nodejs-async-hooks-dos-vulnerability/)
    
    January 16, 2026
    
    -   [security](/changelog/tag/security/)
    -   [functions](/changelog/tag/functions/)
    
    The Node.js team has released a [security update addressing a denial-of-service vulnerability](https://nodejs.org/en/blog/vulnerability/january-2026-dos-mitigation-async-hooks) affecting applications that use `async_hooks` (including in dependencies). Here’s what Netlify customers need to know.
    
    ## Vulnerability
    
    When `async_hooks` are enabled on certain versions of Node.js, a stack overflow causes the Node.js process to exit immediately rather than throw a catchable error. This bypasses `try-catch` blocks and uncaught exception handlers entirely.
    
    A malicious actor could send a crafted payload to crash a server.
    
    Note that many common tools and frameworks use `async_hooks` under the hood, notably APM and tracing tools (e.g. DataDog, NewRelic, OpenTelemetry) as well as Next.js App Router and other React Server Components implementations. You can find [more details on that here](https://nodejs.org/en/blog/vulnerability/january-2026-dos-mitigation-async-hooks#important-react-and-nextjs-impact-by-version).
    
    ## Impact on Netlify
    
    This is a server-side denial-of-service (DoS) vulnerability. **On Netlify, this has minimal impact**: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your cold starts and your function costs.
    
    Note that Node.js used during your project’s _build_ is not impacted at all.
    
    ## What should I do?
    
    If you have [opted your Netlify Functions into Node.js 18](https://docs.netlify.com/build/functions/optional-configuration/?fn-language=js&data-tab=TypeScript#nodejs-version-for-runtime), we **recommend upgrading to Node.js 20 or later**. Node.js 18 reached end-of-life in April 2025 and thus will not be patched.
    
    Otherwise, there is **no action for you to take**. Although this CVE’s impact to Netlify sites is limited, deployed Netlify Functions will be updated to patched Node.js versions automatically on a rolling basis.
    
    For completeness, please note that [the Node.js version used during your project’s _build_](https://docs.netlify.com/build/configure-builds/manage-dependencies/#nodejs-and-javascript) is not relevant to this CVE. There is no action for you to take and this will not be automatically patched.
    
    ## Resources
    
    -   [Node.js security release announcement](https://nodejs.org/en/blog/vulnerability/january-2026-dos-mitigation-async-hooks)
    -   [Netlify Functions Node.js version configuration](https://docs.netlify.com/build/functions/optional-configuration/?fn-language=js&data-tab=TypeScript#nodejs-version-for-runtime)
    
    [Permalink to Security Update: DoS vulnerability in Node.js Permalink](/changelog/2026-01-16-nodejs-async-hooks-dos-vulnerability/)
    
-   [
    
    ## Security Update: Multiple vulnerabilities in SvelteKit
    
    ](/changelog/2026-01-15-sveltekit-security-vulnerabilities/)
    
    January 15, 2026
    
    -   [security](/changelog/tag/security/)
    -   [framework](/changelog/tag/framework/)
    
    The Svelte team has disclosed [five CVEs affecting the Svelte and SvelteKit ecosystem](https://svelte.dev/blog/cves-affecting-the-svelte-ecosystem). Here’s what Netlify customers need to know.
    
    ## Vulnerabilities
    
    -   [**CVE-2026-22775**](https://www.cve.org/CVERecord?id=CVE-2026-22775): Memory/CPU exhaustion in `devalue` (5.1.0–5.6.1)
    -   [**CVE-2026-22774**](https://www.cve.org/CVERecord?id=CVE-2026-22774): Memory exhaustion in `devalue` (5.3.0–5.6.1)
    -   [**CVE-2026-22803**](https://www.cve.org/CVERecord?id=CVE-2026-22803): Server crash in `@sveltejs/kit` (2.49.0–2.49.4)
    -   [**CVE-2025-67647**](https://www.cve.org/CVERecord?id=CVE-2025-67647): Server crash and SSRF in `@sveltejs/kit` (2.44.0–2.49.4) and `@sveltejs/adapter-node` (2.19.0–2.49.4)
    -   [**CVE-2025-15265**](https://www.cve.org/CVERecord?id=CVE-2025-15265): XSS in `svelte` (5.46.0–5.46.3)
    
    ## Impact on Netlify
    
    ### CVE-2026-22775, CVE-2026-22774, and CVE-2026-22803
    
    These are server-side denial-of-service (DoS) vulnerabilities. **On Netlify, these have minimal impact**: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your function costs.
    
    In addition, note that only sites using the experimental [Remote Functions](https://svelte.dev/docs/kit/remote-functions) feature are affected.
    
    ### CVE-2025-67647
    
    As above, this DoS vulnerability involves intentionally “crashing” a server. **On Netlify, this has minimal impact.**
    
    The SSRF vulnerability affects a `@sveltejs/adapter-node`, which is not used by apps deployed to Netlify.
    
    ### CVE-2025-15265
    
    This is a client-side cross-site scripting (XSS) vulnerability. **Regardless of hosting provider, all apps using the experimental `hydratable` with unsanitized user-controlled keys are vulnerable**.
    
    ## What should I do?
    
    Although the impact to Netlify sites is limited in this case, we always strongly recommend upgrading as soon as possible to patched releases:
    
    -   `devalue` 5.6.2 or later
    -   `@sveltejs/kit` 2.49.5 or later
    -   `@sveltejs/adapter-node` 5.5.1 or later
    -   `svelte` 5.46.4 or later
    
    ## Resources
    
    -   [Svelte team disclosure](https://svelte.dev/blog/cves-affecting-the-svelte-ecosystem)
    
    [Permalink to Security Update: Multiple vulnerabilities in SvelteKit Permalink](/changelog/2026-01-15-sveltekit-security-vulnerabilities/)
    
-   [
    
    ## Action required: React/Next.js CVE-2025-55184 and CVE-2025-55183
    
    ](/changelog/2025-12-11-action-required-two-more-react-nextjs-vulns/)
    
    December 11, 2025
    
    -   [security](/changelog/tag/security/)
    -   [next.js](/changelog/tag/next-js/)
    
    **Update (2025-12-12 00:41 UTC):** The React and Next.js patches initially published on Dec. 11 at 21:10 incompletely addressed the vulnerabilities. A [follow-up CVE was issued](https://www.cve.org/CVERecord?id=CVE-2025-67779) and follow-up patches have been released by the React and Next.js teams. All versions below have been updated accordingly. If you upgraded during this 3.5-hour window, please upgrade again.
    
    * * *
    
    Following [last week’s critical vulnerability in React and Next.js](https://www.netlify.com/changelog/2025-12-03-react-security-vulnerability-response/), two additional vulnerabilities are being publicly disclosed today:
    
    -   [**CVE-2025-55184:** Denial of Service (CVSS 7.5/10, high severity)](https://www.cve.org/CVERecord?id=CVE-2025-55184)
        -   A malicious actor can send a request that makes the Next.js server hang.
        -   On Netlify, this type of request gets interrupted by a timeout after 30–40 seconds. As Next.js on Netlify runs on automatically scaled serverless functions, there is no risk of impact to legitimate requests. However, this can have impacts to your monthly bill due to increased bandwidth and function CPU usage.
    -   [**CVE-2025-55183:** Leaking Server Functions (CVSS 5.3/10, medium severity)](https://www.cve.org/CVERecord?id=CVE-2025-55184)
        -   A malicious actor can send a request that leaks the compiled body of a given Server Function/Action.
    
    ## Impact
    
    In both cases, [all Next.js sites using App Router are vulnerable](https://nextjs.org/blog/security-update-2025-12-11). This includes all v14 releases up to and including 14.2.33, all v15 releases up to and including 15.5.7, all v16 releases up to and including 16.0.8, and v13.4+ if opted into the `experimental.serverActions` flag. (In the case of CVE-2025-55183, only sites actually _using_ any Server Actions are vulnerable.)
    
    We have collaborated with the React and Next.js teams to roll out mitigations to the Netlify network in advance of public disclosure.
    
    However, as we’ve seen in the past week, malicious actors around the world are constantly working to quickly identify novel ways to exploit newly published vulnerabilities. The best protection is to upgrade.
    
    ## What should I do?
    
    **Upgrade as soon as possible**. Both vulnerabilities are patched in all these releases:
    
    -   Next.js 14.2.35
    -   Next.js 15.0.7, 15.1.11, 15.2.8, 15.3.8, 15.4.10, or 15.5.9
    -   Next.js 16.0.10
    
    As [Next.js 13 has been unsupported for over a year](https://nextjs.org/support-policy), the Next.js team has chosen not to patch it. If your site uses Next.js 13.4+ and has opted in to the `experimental.serverActions` flag, we strongly recommend upgrading to 14.2.34 or later as soon as possible (note: v14 is also technically unsupported).
    
    To be abundantly clear: if you have upgraded to address last week’s CVE, **you must upgrade once again**.
    
    ## Other RSC frameworks
    
    [These are React vulnerabilities](https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components), in the [React Server Functions protocol](https://react.dev/reference/rsc/server-functions) present in all versions of React 19 up to and including 19.2.1.
    
    The following RSC implementations are therefore vulnerable: `waku`, `@parcel/rsc`, `@vitejs/plugin-rsc`, `react-server-dom-parcel`, `react-server-dom-webpack`, `react-server-dom-turbopack`, and the React Router 7 RSC preview.
    
    If you are using any of these, upgrade it to the latest version and upgrade `react` to 19.0.3, 19.1.4, or 19.2.3 as soon as possible.
    
    ## Resources
    
    -   [React disclosures](https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components)
    -   [Next.js disclosures](https://nextjs.org/blog/security-update-2025-12-11)
    
    * * *
    
    We are working continually with the React and Next.js teams and are committed to keeping your sites secure on Netlify.
    
    _This post was last updated on 2025-12-11 at 21:15 UTC_
    
    [Permalink to Action required: React/Next.js CVE-2025-55184 and CVE-2025-55183 Permalink](/changelog/2025-12-11-action-required-two-more-react-nextjs-vulns/)
    
-   [
    
    ## Netlify’s response to the critical React & Next.js security vulnerability
    
    ](/changelog/2025-12-03-react-security-vulnerability-response/)
    
    December 3, 2025
    
    -   [security](/changelog/tag/security/)
    -   [next.js](/changelog/tag/next-js/)
    
    **Update (2025-12-08 22:45 UTC):** Sites that have not yet upgraded to a patched version of Next.js (or other affected framework) must upgrade immediately. Following upgrade, we also recommend rotating all credentials that are [scoped for access within Netlify Functions](https://docs.netlify.com/build/functions/environment-variables/#declare-variables), if you have been running a vulnerable version on or after December 4th, 2025 at 1:00 PM PT.
    
    Over the last many days, several variants of the original React2Shell exploit have emerged. Netlify is working alongside others in a coordinated industry effort to monitor for exploit variants and has been adjusting our blocking mechanisms accordingly.
    
    In addition to these attack blocking mechanisms, we are now blocking all further deploys for sites using versions of software affected by [CVE-2025-55182](https://www.cve.org/CVERecord?id=CVE-2025-55182) and [CVE-2025-66478](https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp).
    
    **Update (2025-12-06 19:15 UTC):** An official npm package has been released to update affected Next.js apps. Use `npx fix-react2shell-next` to update now. For more information, check the [github repository for `react2shell`](https://github.com/vercel-labs/fix-react2shell-next).
    
    **Update (2025-12-06 15:42 UTC):** As this threat landscape is still evolving in real time, **we advise all customers to immediately upgrade all React and Next.js projects to a patched version**.
    
    **Update (2025-12-06 09:24 UTC):** We have deployed further mitigations for newly discovered exploit vectors.
    
    A critical vulnerability ([CVE-2025-55182](https://www.cve.org/CVERecord?id=CVE-2025-55182)) was recently disclosed in React’s [Server Functions](https://react.dev/reference/rsc/server-functions) protocol, a feature of React Server Components (RSC). React 19.0, 19.1, and 19.2 are affected.
    
    Working closely with the React and Next.js teams, we received early notice and immediately took action to protect our customers.
    
    The vulnerability can be exploited using all RSC implementations, including:
    
    -   Next.js versions 15 and 16, up to and including 15.0.4, 15.1.8, 15.2.5, 15.3.5, 15.4.7, 15.5.6, 16.0.6 ([CVE-2025-66478](https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp))
    -   [React Router RSC Preview](https://reactrouter.com/how-to/react-server-components)
    -   [Vite RSC plugin](https://www.npmjs.com/package/@vitejs/plugin-rsc)
    
    In affected configurations, an attacker could craft a request that allows them to **execute arbitrary code within the context of the victim’s app**.
    
    On December 3, at 14:00 UTC, the Netlify team rolled out a patch that prevents this vulnerability from being exploited on our customers’ sites. Since that time, **all Netlify customers are not vulnerable** to the exploit. We have found **no evidence of exploitation** on any Netlify sites.
    
    **Please upgrade all React and Next.js projects to a patched version immediately**, and, in the case of Next.js, [**allow automatic updates of the OpenNext Netlify Next.js adapter**](https://docs.netlify.com/build/frameworks/framework-setup-guides/nextjs/overview/#nextjs-support-on-netlify).
    
    We are working continually with the React and Next.js teams and are committed to keeping your sites secure on Netlify.
    
    * * *
    
    _This post was last updated on 2025-12-08 at 22:45 UTC_
    
    [Permalink to Netlify’s response to the critical React & Next.js security vulnerability Permalink](/changelog/2025-12-03-react-security-vulnerability-response/)
    
-   [
    
    ## Security Update: Multiple vulnerabilities in Next.js
    
    ](/changelog/security-update-multiple-vulnerabilities-in-next-js-2025-08/)
    
    August 30, 2025
    
    -   [security](/changelog/tag/security/)
    -   [next.js](/changelog/tag/next-js/)
    
    We are aware of recently disclosed vulnerabilities affecting Next.js applications:
    
    1.  [CVE-2025-55173](https://github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v): **Next.js Image Optimization – Arbitrary File Download**
    2.  [CVE-2025-57822](https://github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f): **Next.js Middleware – SSRF via Misuse of `next()`**
    3.  [CVE-2025-57752](https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v): **Next.js Image Optimization – Cache Poisoning / Unauthorized Disclosure**
    
    As a security precaution, we recommend upgrading to the latest versions of Next.js and enabling [**automatic updates of the OpenNext Netlify Next.js adapter**](https://docs.netlify.com/frameworks/next-js/overview/#reverting-to-an-older-adapter-version).
    
    The engineering team at Netlify has reviewed these and determined the following impact on Netlify sites: \*
    
    1.  [CVE-2025-55173](https://github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v): **Next.js Image Optimization – Arbitrary File Download**
    
    Sites on Netlify **are not vulnerable**.
    
    Next.js sites on Netlify use Netlify’s Image CDN instead of the affected built-in Next.js Image Optimization feature. Furthermore, Netlify Image CDN strips `Content-Disposition` headers, which is required for successful exploitation of this vulnerability. With this header removed it is not possible to force a file download or override the filename, even in case of a mismatch between the requested image type and the source file type.
    
    2.  [CVE-2025-57822](https://github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f): **Next.js Middleware – SSRF via Misuse of `next()`**
    
    Sites on Netlify **are not vulnerable**.
    
    Our OpenNext adapter uses Edge Functions to run middleware and relies on the `context.next()` API as the underlying implementation of `NextResponse.next()` calls, passing the original request URL and preventing this attack vector.
    
    3.  [CVE-2025-57752](https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v): **Next.js Image Optimization – Cache Poisoning / Unauthorized Disclosure**
    
    Next.js sites on Netlify are **potentially vulnerable**, if the sites use the `next/image` component to fetch images from a source that uses headers to conditionally serve images.
    
    Next.js sites using the `next/image` component will automatically opt into Netlify’s Image CDN which, by design, will automatically cache the source assets on Netlify’s Edge Cache. This means that a source image that is served behind an authorization header will get cached on the Netlify Edge Cache in order to improve performance. Upgrading to the newest version of Next.js will not change this behavior.
    
    If your Next.js site serves images from a protected source, we advise you to not use the `next/image` component so that you have full control over the caching and authorization strategies required for your use-case.
    
    We are working continually with the Next.js team and are committed to making your sites secure on Netlify.
    
    [Permalink to Security Update: Multiple vulnerabilities in Next.js Permalink](/changelog/security-update-multiple-vulnerabilities-in-next-js-2025-08/)
    
-   [
    
    ## Security Update: Next.js sites on Netlify not vulnerable to CVE-2025-32421
    
    ](/changelog/security-update-next-js-sites-on-netlify-not-vulnerable-to-cve-2025-32421/)
    
    May 15, 2025
    
    -   [security](/changelog/tag/security/)
    -   [next.js](/changelog/tag/next-js/)
    
    The Next.js team [recently disclosed CVE-2025-32421](https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4), a low-severity vulnerability allowing for CDN cache poisoning in some scenarios.
    
    The engineering team at Netlify has confirmed that all Next.js sites on Netlify **are not vulnerable**. The vulnerability requires use of a CDN that may cache responses without explicit Cache-Control headers, but Netlify’s CDN never does so.
    
    As a general security precaution, we recommend upgrading to the latest versions of the Next.js framework and [allowing automatic updates of the OpenNext Netlify Next.js adapter](https://docs.netlify.com/frameworks/next-js/overview/#reverting-to-an-older-adapter-version).
    
    [Permalink to Security Update: Next.js sites on Netlify not vulnerable to CVE-2025-32421 Permalink](/changelog/security-update-next-js-sites-on-netlify-not-vulnerable-to-cve-2025-32421/)
    
-   [
    
    ## Security Update: React Router and Remix Vulnerabilities
    
    ](/changelog/security-update-react-router-remix-vulnerabilities/)
    
    April 27, 2025
    
    -   [security](/changelog/tag/security/)
    -   [remix](/changelog/tag/remix/)
    
    We are aware of recently disclosed vulnerabilities affecting React Router and Remix:
    
    1.  **[CVE 2025-31137](https://github.com/remix-run/react-router/security/advisories/GHSA-4q56-crqp-v477) (React Router 7 and Remix): Spoof request path allowing certain access control bypasses**
    2.  **[CVE-2025-43864](https://github.com/advisories/GHSA-f46r-rw29-r322) (React Router 7 only): Cache poisoning leading to unusable responses**
    3.  **[CVE-2025-43865](https://github.com/remix-run/react-router/security/advisories/GHSA-cpj6-fhp6-mr6j) (React Router 7 only): Cache poisoning with arbitrary data**
    
    **Impact on Netlify sites:**
    
    -   **CVE 2025-31137:** Sites on Netlify **are not vulnerable**, because the Netlify CDN cache varies on the query string by default, and Remix and React Router sites on Netlify do not use the impacted Express package.
    -   **CVE-2025-43864:** Sites on Netlify using **React Router 7.2.0 to 7.5.1** **were vulnerable until 04/27 3:00 UTC**. However, exploitation requires _all_ of the following conditions for a given URL to be poisonable:
        -   The site must not be using React Router’s SPA mode.
        -   The page or loader must be explicitly setting **caching headers**.
        -   A malicious request would need to be the **first request** to reach the cache (such as immediately after a deploy or cache invalidation).
    -   **CVE-2025-43865:** Sites on Netlify using **React Router 7.0.0 to 7.5.1** **were vulnerable until 04/27 3:00 UTC**. However, exploitation requires _all_ of the following conditions for a given URL to be poisonable:
        -   The page or loader must be explicitly setting **caching headers**.
        -   A malicious request would need to be the **first request** to reach the cache (such as immediately after a deploy or cache invalidation).
    
    We strongly recommend upgrading to the latest versions of React Router (7.5.2).
    
    Given these specific requirements, the number of vulnerable Netlify sites is low. However, out of an abundance of caution, our engineering team is actively rolling out a mitigation to further protect against these vulnerabilities. We will continue to monitor the situation and will provide updates as our work progresses.
    
    **Update:** As of 2025-04-27 3:00 AM UTC, a mitigation has been rolled out to the Netlify CDN for all vulnerable sites.
    
    [Permalink to Security Update: React Router and Remix Vulnerabilities Permalink](/changelog/security-update-react-router-remix-vulnerabilities/)
    

[Previous page](/changelog)