[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fZ8mLEXm4qIbt4M06CKmF0En4Swit3rGCCs_wgMf_GDs":3},{"article":4,"iocs":55},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":34,"category":35,"article_tags":39},"1de93e57-7545-42b5-9d42-f831e2dd345f","Next.js moves to scheduled security releases","next-js-moves-to-scheduled-security-releases-237cba","Vercel announced that Next.js is adopting a formal security release program, replacing the ad-hoc patches the framework has shipped until now. Going forward, the team will publish advance notice of security releases on the Next.js blog roughly once a month. Each notice will state the expected release date and the highest anticipated severity of the fixes it covers. The first scheduled release is slated for July 20. It will ship patch releases for Next.js 16.2 and 15.5 and addresses 4 high and 5 medium severity vulnerabilities. Vercel said it will publish CVE details once the patches are available. Urgent fixes and vulnerabilities under active exploitation will still ship more immediate patches outside the schedule. The program replaces ad-hoc patches with a fixed cadence # Next.js has patched security issues on no set timeline. Vercel described those past releases as infrequent and disruptive, arriving with no advance warning. The new model gives teams a predictable window to plan upgrades. It also gives Vercel time to coordinate with hosting providers and platform partners on mitigations, such as firewall rules that can protect applications before they are patched. Pre-announced, scheduled security releases are already standard at large open source projects. Django, Node.js, Kubernetes, and OpenSSL all publish security releases on a set cadence, with advance notice and an embargo on specifics until the patch lands. Next.js is adopting an established practice at its current scale rather than introducing a new one. React2Shell preceded the program # Vercel's post cites React2Shell as an example of its security process \"working as intended.\" The vulnerability was one of the most serious to hit the React ecosystem in the past year. React2Shell (CVE-2025-55182) was a pre-authentication remote code execution flaw in React Server Components, rated CVSS 10.0 and exploitable through a single crafted HTTP request. Google's Threat Intelligence Group observed widespread exploitation within days of the December 3 disclosure, across clusters ranging from opportunistic criminals to suspected espionage groups. Amazon saw China state-nexus groups, including Earth Lamia and Jackpot Panda, exploiting it within hours. Palo Alto's Cortex Xpanse counted more than 968,000 exposed React and Next.js instances. Default Next.js configurations were vulnerable with no code changes required from the developer. The patch did not close the story. Researchers examining the fixes surfaced two more RSC vulnerabilities (CVE-2025-55183 and CVE-2025-55184), and the initial fix for one was incomplete, requiring a second patch under CVE-2025-67779. Vercel also ran a bounty on the React2Shell vulnerability class and WAF bypasses, and says the program paid out more than $1M to dozens of researchers. Vercel has changed its security process twice since early 2025 # React2Shell was the second high-severity security event to hit Next.js in about a year, but it was not a Next.js bug. The flaw was in React Server Components, upstream of Next.js, and Next.js shipped it to users through the App Router. The first event was a flaw in Next.js itself, an authorization bypass disclosed in March 2025 and rated CVSS 9.1. It let an attacker skip Next.js middleware, including authentication and authorization checks, by spoofing the internal x-middleware-subrequest header. In its postmortem, Vercel acknowledged that the initial report sat in a lower-priority triage queue, that triaging was delayed, and that it could have communicated better with infrastructure and auth partners. That incident produced the LTS policy that now governs which Next.js versions receive security backports. Each event was followed by a change in how Vercel handles security releases. The scheduled program is the latest. Self-hosted deployments carry the risk # Advance notice helps platforms deploy mitigations before users upgrade. During React2Shell, Vercel worked with the React team to design WAF rules and delivered them to Vercel-hosted applications before the CVE was public. The same held for CVE-2025-29927, where Vercel-hosted deployments were protected automatically. Self-hosted deployments are more exposed. The window between a scheduled disclosure and a completed upgrade is the period attackers target. Next.js also sits deep in the dependency trees of millions of applications, which means the teams that need to act on each release include those who are not running Next.js directly. AI-assisted discovery is raising patch volume across the industry # Vercel attributes the rising volume of vulnerability research to LLM-assisted discovery, and cites one data point: Mozilla's disclosure of 271 issues in a single Firefox release. Those fixes shipped in Firefox 150, all surfaced by an early version of Anthropic's Claude Mythos Preview. An earlier pass with Claude Opus 4.6 had found 22 in Firefox 148. This week, Microsoft shipped its largest Patch Tuesday on record, 570 fixes, and credited AI-aided discovery for the volume. Microsoft has now patched more than 1,300 vulnerabilities in the first seven months of 2026, close to double the same period last year. Other vendors are also speeding up their security release schedules. Adobe is moving to twice-monthly security bulletins and cited AI for accelerating its cycle, and Cisco, Mozilla, and Oracle are also shipping updates more frequently. Vercel runs the same class of tooling against Next.js through deepsec, the agent-powered scanner it open sourced in May, along with its own researchers and an expanded bug bounty scope. The company anticipates the first scheduled security release will cover nine vulnerabilities on its own.","Vercel announced that Next.js will implement a formal monthly security release schedule with advance notice and embargo periods, shifting from previously ad-hoc patches. The program aims to give development teams predictable upgrade windows and allow Vercel to coordinate mitigations with hosting partners. The announcement follows critical vulnerabilities including React2Shell (CVE-2025-55182, CVSS 10.0) and a 2025 authorization bypass, both of which prompted security process improvements.","Next.js adopts scheduled monthly security releases with advance notice, replacing ad-hoc patching.","Research\u002FSecurity News11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windows Host-Surveillance Payload11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.By Kush Pandya - Jul 14, 2026","https:\u002F\u002Fsocket.dev\u002Fblog\u002Fnextjs-moves-to-scheduled-security-releases?utm_medium=feed","https:\u002F\u002Fcdn.sanity.io\u002Fimages\u002Fcgdhsj6q\u002Fproduction\u002F948d8385d51301b0feff2aaa76ba52445def8295-1672x941.png?w=1000&q=95&fit=max&auto=format","2026-07-16T01:53:24.144+00:00","2026-07-16T06:00:24.167706+00:00",8,[18,21,23,26,28,31],{"name":19,"type":20},"Next.js","product",{"name":22,"type":20},"React Server Components",{"name":24,"type":25},"Vercel","vendor",{"name":27,"type":20},"deepsec",{"name":29,"type":30},"App Router","technology",{"name":32,"type":33},"Earth Lamia","threat_actor","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":34,"icon":36,"name":37,"slug":38},null,"Vulnerabilities","vulnerabilities",[40,45,50],{"category":41},{"id":42,"icon":36,"name":43,"slug":44},"02371804-cf6d-4449-98de-f1a2d4d9b266","Tools","tools",{"category":46},{"id":47,"icon":36,"name":48,"slug":49},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":51},{"id":52,"icon":36,"name":53,"slug":54},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source",[56,60,63,65,68,71,74],{"type":57,"value":58,"context":59},"cve","CVE-2025-55182","React2Shell - pre-authentication RCE in React Server Components, CVSS 10.0, exploited by state-nexus groups",{"type":57,"value":61,"context":62},"CVE-2025-55183","Follow-up RSC vulnerability discovered after React2Shell patch",{"type":57,"value":64,"context":62},"CVE-2025-55184",{"type":57,"value":66,"context":67},"CVE-2025-67779","Incomplete fix for RSC vulnerability, required second patch",{"type":57,"value":69,"context":70},"CVE-2025-29927","Vulnerability where Vercel-hosted deployments were auto-protected",{"type":72,"value":32,"context":73},"malware","China state-nexus group observed exploiting React2Shell within hours",{"type":72,"value":75,"context":73},"Jackpot Panda"]