§ feed · storyline

Vercel blocks deployments using vulnerable next-mdx-remote versions

Vercel blocks new deployments containing vulnerable versions of next-mdx-remote affected by CVE-2026-0969, with an environment variable override available to disable the protection.

Feb 12 · 14:00:00 · primary fetch1 sourceupdated Feb 12 · 14:00:00

Any new deployment containing a version of the third-party package that is vulnerable to will now automatically fail to deploy on Vercel.next-mdx-remoteCVE-2026-0969 We strongly recommend upgrading to a patched version regardless of your hosting provider.

This automatic protection can be disabled by setting the environment variable on your Vercel project. DANGEROUSLY_DEPLOY_VULNERABLE_CVE_2026_0969=1Learn more Read more

read full article on vercel.com ↗

§ sources1 publication · timeline below

vercel.comNew deployments with vulnerable versions of the third-party package next-mdx-remote are now blocked by defaultprimary14:00:00