v3.68.3 (2025-12-11)
⚠️ Security Issue
A high-severity Denial of Service (CVE-2025-55184) and a medium-severity Source Code Exposure (CVE-2025-55183) affect React 19 and frameworks that use it, like Next.js.
Full details here: https://vercel.com/kb/bulletin/security-bulletin-cve-2025-55184-and-cve-2025-55183#how-to-upgrade-and-protect-your-next.js-app
While this is not a Payload vulnerability, it may affect any Payload project running on the affected versions of Next.js. Payload does not install any of these dependencies directly, it simply enforces their versions through its peer dependencies, which will only warn you of the version incompatibilities.
You will need to upgrade React and Next.js yourself in your own apps to the patched versions listed below in order to receive these updates.
Resolution
You are strongly encouraged to upgrade your own apps to the nearest patched versions of Next.js and deploy immediately.
Quick steps:
If using pnpm as your package manager, here's a one-liner:
pnpm add next@15.4.9
For a full breakdown of the vulnerable packages and their patched releases, see https://vercel.com/kb/bulletin/security-bulletin-cve-2025-55184-and-cve-2025-55183#how-to-upgrade-and-protect-your-next.js-app.
🐛 Bug Fixes
🤝 Contributors
- Jake (@jacobsfletch)
- Jarrod Flesch (@JarrodMFlesch)