§ feed · storyline

New deployments of vulnerable Next.js applications are now blocked by default

Vercel now blocks new deployments of Next.js versions vulnerable to CVE-2025-29927 by default, with an override environment variable available for projects requiring the behaviour to be disabled.

Dec 5 · 14:00:00 · primary fetch1 sourceupdated Dec 5 · 14:00:00

Any new deployment containing a version of Next.js that is vulnerable to will now automatically fail to deploy on Vercel. CVE-2025-66478 We strongly recommend upgrading to a patched version regardless of your hosting provider.

Learn more This automatic protection can be disabled by setting the environment variable on your Vercel project. DANGEROUSLY_DEPLOY_VULNERABLE_CVE_2025_66478=1Learn more Read more

read full article on vercel.com ↗

§ sources1 publication · timeline below

vercel.comNew deployments of vulnerable Next.js applications are now blocked by defaultprimary14:00:00