Next.js 15.x/16.x Security Update: Critical React Vulnerability Patched in v15.5.14

A critical security vulnerability in React 19 has triggered an urgent dependency update for Next.js, forcing developers to patch to version 15.5.14. The flaw, tracked as GHSA-9qr9-h5gf-34mp, directly impacts Next.js 15.x and 16.x applications using the App Router, stemming from upstream packages. This is not a routine chore update; it's a mandatory security fix for a live exploit path.

The vulnerability originates in specific versions of React (19.0.0 through 19.2.0) and propagates to frameworks that depend on them. The automated pull request from Renovate bot highlights the direct dependency change from Next.js 15.4.7 to 15.5.14, which contains the necessary patches. The advisory indicates the issue is actively tracked upstream, confirming its severity and the coordinated response between the React and Next.js maintainer teams at Vercel.

This update places immediate pressure on development and security teams across the global Next.js ecosystem. Any unpatched application using the affected React and Next.js versions remains exposed. The automated nature of the PR underscores the standard practice for handling such vulnerabilities, but manual intervention is still required to merge and deploy the fix. The scope is significant, covering all major 15.x and 16.x releases, making this a widespread infrastructure security event.