New deployments of vulnerable Next.js applications are now blocked by default

Published: 1 month ago (December 5, 2025 at 08:00 AM EST)

1 min read

Source: Vercel Blog

Update Summary

Any new deployment containing a version of Next.js that is vulnerable to will now automatically fail to deploy on Vercel. CVE-2025-66478

We strongly recommend upgrading to a patched version regardless of your hosting provider. Learn more

This automatic protection can be disabled by setting the en…

Back to Blog

Building a Headless Store with Next.js 16 and Shopify API

Building a headless store with Shopify and Next.js 16 gives you total control over the user experience. You aren't limited by a pre‑made theme; instead, you are...

Urgent Security Update from Next.js

!Cover image for Urgent Security Update from Next.jshttps://media2.dev.to/dynamic/image/width=1000,height=420,fit=cover,gravity=auto,format=auto/https%3A%2F%2Fd...

Football pitch reservation app built with Next.js, Shadcn UI, Prisma, and Better Auth

!Cover image for Football pitch reservation app built with Next.js, Shadcn UI, Prisma, and Better Authhttps://media2.dev.to/dynamic/image/width=1000,height=420,...

Automated React2Shell vulnerability patching is now available

Vercel Agent now detects vulnerable packages in your project, and automatically generates pull requests with fixes to upgrade them to .patched versions Powered...

Update Summary

Related posts

Building a Headless Store with Next.js 16 and Shopify API

Urgent Security Update from Next.js

Football pitch reservation app built with Next.js, Shadcn UI, Prisma, and Better Auth

Automated React2Shell vulnerability patching is now available