



























Socket proactively blocks malicious open source packages in your code.
Vercel announced that Next.js is adopting a formal security release program, replacing the ad-hoc patches the framework has shipped until now. Going forward, the team will publish advance notice of security releases on the Next.js blog roughly once a month. Each notice will state the expected release date and the highest anticipated severity of the fixes it covers.
The first scheduled release is slated for July 20. It will ship patch releases for Next.js 16.2 and 15.5 and addresses 4 high and 5 medium severity vulnerabilities. Vercel said it will publish CVE details once the patches are available. Urgent fixes and vulnerabilities under active exploitation will still ship more immediate patches outside the schedule.
Next.js has patched security issues on no set timeline. Vercel described those past releases as infrequent and disruptive, arriving with no advance warning. The new model gives teams a predictable window to plan upgrades. It also gives Vercel time to coordinate with hosting providers and platform partners on mitigations, such as firewall rules that can protect applications before they are patched.
Pre-announced, scheduled security releases are already standard at large open source projects. Django, Node.js, Kubernetes, and OpenSSL all publish security releases on a set cadence, with advance notice and an embargo on specifics until the patch lands. Next.js is adopting an established practice at its current scale rather than introducing a new one.
Vercel's post cites React2Shell as an example of its security process "working as intended." The vulnerability was one of the most serious to hit the React ecosystem in the past year.
React2Shell (CVE-2025-55182) was a pre-authentication remote code execution flaw in React Server Components, rated CVSS 10.0 and exploitable through a single crafted HTTP request. Google's Threat Intelligence Group observed widespread exploitation within days of the December 3 disclosure, across clusters ranging from opportunistic criminals to suspected espionage groups. Amazon saw China state-nexus groups, including Earth Lamia and Jackpot Panda, exploiting it within hours. Palo Alto's Cortex Xpanse counted more than 968,000 exposed React and Next.js instances. Default Next.js configurations were vulnerable with no code changes required from the developer.
The patch did not close the story. Researchers examining the fixes surfaced two more RSC vulnerabilities (CVE-2025-55183 and CVE-2025-55184), and the initial fix for one was incomplete, requiring a second patch under CVE-2025-67779. Vercel also ran a bounty on the React2Shell vulnerability class and WAF bypasses, and says the program paid out more than $1M to dozens of researchers.
React2Shell was the second high-severity security event to hit Next.js in about a year, but it was not a Next.js bug. The flaw was in React Server Components, upstream of Next.js, and Next.js shipped it to users through the App Router.
The first event was a flaw in Next.js itself, an authorization bypass disclosed in March 2025 and rated CVSS 9.1. It let an attacker skip Next.js middleware, including authentication and authorization checks, by spoofing the internal x-middleware-subrequest header. In its postmortem, Vercel acknowledged that the initial report sat in a lower-priority triage queue, that triaging was delayed, and that it could have communicated better with infrastructure and auth partners. That incident produced the LTS policy that now governs which Next.js versions receive security backports.
Each event was followed by a change in how Vercel handles security releases. The scheduled program is the latest.
Advance notice helps platforms deploy mitigations before users upgrade. During React2Shell, Vercel worked with the React team to design WAF rules and delivered them to Vercel-hosted applications before the CVE was public. The same held for CVE-2025-29927, where Vercel-hosted deployments were protected automatically.
Self-hosted deployments are more exposed. The window between a scheduled disclosure and a completed upgrade is the period attackers target. Next.js also sits deep in the dependency trees of millions of applications, which means the teams that need to act on each release include those who are not running Next.js directly.
Vercel attributes the rising volume of vulnerability research to LLM-assisted discovery, and cites one data point: Mozilla's disclosure of 271 issues in a single Firefox release. Those fixes shipped in Firefox 150, all surfaced by an early version of Anthropic's Claude Mythos Preview. An earlier pass with Claude Opus 4.6 had found 22 in Firefox 148. This week, Microsoft shipped its largest Patch Tuesday on record, 570 fixes, and credited AI-aided discovery for the volume. Microsoft has now patched more than 1,300 vulnerabilities in the first seven months of 2026, close to double the same period last year.
Other vendors are also speeding up their security release schedules. Adobe is moving to twice-monthly security bulletins and cited AI for accelerating its cycle, and Cisco, Mozilla, and Oracle are also shipping updates more frequently. Vercel runs the same class of tooling against Next.js through deepsec, the agent-powered scanner it open sourced in May, along with its own researchers and an expanded bug bounty scope. The company anticipates the first scheduled security release will cover nine vulnerabilities on its own.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。