top of page
Search

Important Security Update for Next.js 15 & 16

  • Writer: Chandan Rajpurohit
    Chandan Rajpurohit
  • 9 hours ago
  • 2 min read

A critical vulnerability in React Server Components (CVE-2025-55182) has been responsibly disclosed. It affects React 19 and frameworks that use it, including Next.js (CVE-2025-66478).


The issue is rated CVSS 10.0 and can allow remote code execution when processing attacker-controlled requests in unpatched environments.


If you are using Next.js, every version between Next.js 15 and 16 is affected, and Vercel recommend immediately updating to the latest Next.js versions containing the appropriate fixes (15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7).


Affected Next.js Versions


Applications using React Server Components with the App Router are affected when running:


Next.js 15.x

Next.js 16.x

Next.js 14.3.0-canary.77 and later canary releases


Next.js 13.x, Next.js 14.x stable, Pages Router applications, and the Edge Runtime are not affected.


Fixed Versions


The vulnerability is fully resolved in the following patched Next.js releases:


15.0.5

15.1.9

15.2.6

15.3.6

15.4.8

15.5.7

15.6.0-canary.58

16.0.7


These versions include the hardened React Server Components implementation.


If you are using another framework using Server Components, Vercel also recommend immediately updating to the latest React versions containing the appropriate fixes (19.0.1, 19.1.2, and 19.2.1).


Upgrade Next.js now!


To update to Next.js version 16, you can use the upgrade codemod:

npx @next/codemod@canary upgrade latest

The codemod is able to:


  • Update next.config.js to use the new turbopack configuration

  • Migrate from next lint to the ESLint CLI

  • Migrate from deprecated middleware convention to proxy

  • Remove unstable_ prefix from stabilized APIs

  • Remove experimental_ppr Route Segment Config from pages and layouts


If you prefer to do it manually, install the latest Next.js and React versions:

npm install next@latest react@latest react-dom@latest

or

npm install next@15.0.5   # for 15.0.x
npm install next@15.1.9   # for 15.1.x
npm install next@15.2.6   # for 15.2.x
npm install next@15.3.6   # for 15.3.x
npm install next@15.4.8   # for 15.4.x
npm install next@15.5.7   # for 15.5.x
npm install next@16.0.7   # for 16.0.x

You can read more about the vulnerability in our changelog. If you have any questions, please reach out to security@vercel.com.


Thank you for reading this article, I really appreciate it. If you have any questions feel free to leave a comment.

Comments

Made with ❤️ by Chandan Rajpurohit

© 2025 by CR. 

bottom of page