Next.js ↗

Vercel · Web / Framework

Track your version:Monitors Next.js and tailors your dashboard to that exact version.

16.2.9 · latest cycle100/100 Healthy

Summary iPlain-English security verdict for Next.js, generated from its current health score, actively-exploited vulnerabilities, and latest supported version.

Next.js currently scores 100/100 — healthy. 1 actively-exploited vulnerability (CISA KEV) affects older releases (e.g. CVE-2025-55182) — staying on the latest supported version keeps you clear of it. The latest supported release is 16.2.9. It's on the latest patch with no significant known issues — keep it current.

Disclosure trend iNew CVEs published for Next.js each year (NVD). A higher bar means more disclosures that year — more scrutiny, not necessarily less safe.

'19

'20

'21

'22

'23

'24

'25

'26

1 of its known vulnerability is linked to ransomware campaigns (CISA KEV).

Patch priority — what to act on iThe issues to fix first — actively exploited (CISA KEV) first, then by exploitation probability (EPSS), then severity. Each row's "→ fixed in" is the earliest version that patches it; "see advisory" means no fixed version is published.

Most urgent first — actively exploited, then likeliest to be exploited.

CVE-2025-55182 CRITICAL exploited ransomware Insecure deserialization EPSS 100% → fixed in 16.0.7 CVE-2025-29927 CRITICAL CWE-285 EPSS 93% → fixed in 15.2.3 CVE-2025-55184 HIGH Insecure deserialization EPSS 66% → fixed in 16.0.10 CVE-2025-55183 MEDIUM EPSS 62% → fixed in 16.0.10 CVE-2024-46982 HIGH Authorization bypass EPSS 58% → fixed in 14.2.10 CVE-2021-43803 HIGH Improper input validation EPSS 45% → fixed in 12.0.5

See all 47 known Next.js CVEs & security history →

Get alerted about Next.js

Be emailed the moment Next.js gets a newly exploited vulnerability (CISA KEV) or a release reaches end of life. Free · double opt-in · unsubscribe anytime.

We email only on real events for Next.js — no marketing, no sharing, and we never know what you run. Track your whole stack →

Versions & lifecycle iWhen each release line stops receiving security patches (end-of-life). After EOL there are no more fixes — plan upgrades before these dates.

How long each Next.js release line is supported — and when it sunsets. Select a line for its full report.

Oct21'26 Next.js 15EOL 2026-10-21

Oct26'25 Next.js 14ended 2025-10-26

Dec21'24 Next.js 13ended 2024-12-21

Nov21'22 Next.js 12ended 2022-11-21

Jan27'22 Next.js 11ended 2022-01-27

Jun15'21 Next.js 10ended 2021-06-15

Oct27'20 Next.js 9ended 2020-10-27

Full Next.js end-of-life dates & support timeline →

16 latest 16.2.9 Supported 16.2.9 → 15 latest 15.5.19 Supported until 2026-10-2115.5.19 → 14 latest 14.2.35 End of life ended 2025-10-2614.2.35 → 13 latest 13.5.11 End of life ended 2024-12-2113.5.11 → 12 latest 12.3.7 End of life ended 2022-11-2112.3.7 → 11 latest 11.1.4 End of life ended 2022-01-2711.1.4 → 10 latest 10.2.3 End of life ended 2021-06-1510.2.3 → 9 latest 9.5.5 End of life ended 2020-10-279.5.5 → See all upcoming end-of-life dates →

Frequently asked

Is Next.js safe and patched?

What should I do about Next.js now?

Upgrade Next.js to the latest supported release (16.2.9) or later, which clears the actively-exploited issues affecting older versions, then confirm against Vercel's official advisory.

When does Next.js reach end-of-life?

The latest supported Next.js release is 16.2.9. After end-of-life a release no longer receives security patches.

Which versions of Next.js are still receiving security updates?

Supported Next.js release lines (latest 16.2.9): 16, 15. End-of-life releases no longer receive security patches.

Informational only, from public data (NVD · CISA KEV · EPSS · endoflife.date), and can lag or miss vendor-specific fixes. Always confirm against Vercel's official advisory before you patch or upgrade — Next.js official site ↗