firebase · annajowang · Dec 3, 2025 · Dec 3, 2025 · Dec 3, 2025 · Dec 3, 2025
@@ -61,7 +61,7 @@
     "@types/tmp": "*",
     "mocha": "*",
     "next": "~14.0.0",
-    "semver": "*",
+    "semver": "^7.7.3",
     "tmp": "*",
     "ts-mocha": "*",
     "ts-node": "*",

@@ -6,6 +6,7 @@
   validateOutputDirectory,
   getAdapterMetadata,
   exists,
+  checkNextJSVersion,
 } from "../utils.js";
 import { join } from "path";
 import { getBuildOptions, runBuild } from "@apphosting/common";
@@ -24,6 +25,7 @@
 // Opt-out sending telemetry to Vercel
 process.env.NEXT_TELEMETRY_DISABLED = "1";
 
+checkNextJSVersion(process.env.FRAMEWORK_VERSION)
 const nextConfig = await loadConfig(root, opts.projectDirectory);
 
 /**

@@ -6,6 +6,24 @@ import path from "path";
 import os from "os";
 import { RoutesManifest, MiddlewareManifest } from "../src/interfaces.js";
 
+describe("block vulnerable nextjs versions", () => {
+  it("should allow for unspecified", async () => {
+    const { checkNextJSVersion } = await importUtils;
+
+    assert.throws(() => {
+      checkNextJSVersion("15.0.0");
+    });
+
+    assert.ok(() => {
+      checkNextJSVersion(undefined);
+    });
+
+    assert.ok(() => {
+      checkNextJSVersion("15.0.5");
+    });
+  });
+});
+
 describe("manifest utils", () => {
   let tmpDir: string;
   let distDir: string;

@@ -1,4 +1,5 @@
 import fsExtra from "fs-extra";
+import semVer from "semver";
 import { createRequire } from "node:module";
 import { join, dirname, relative, normalize } from "path";
 import { fileURLToPath } from "url";
@@ -16,7 +17,18 @@
 
 // fs-extra is CJS, readJson can't be imported using shorthand
 export const { copy, exists, writeFile, readJson, readdir, readFileSync, existsSync, ensureDir } =
-  fsExtra;
+	     fsExtra;
+export const {satisfies} = semVer;
+
+export function checkNextJSVersion(version: string | undefined) {
+  if (version == undefined) {
+    return
+  }
+  if (!satisfies(version, '>=16.1.0 || ^16.0.7 || ^v15.5.7 || ^v15.4.8 || ^v15.3.6 || ^v15.2.6 || ^v15.1.9 || ^v15.0.5 || <14.3.0-canary.77')) {
+    throw new Error(
+    `CVE-2025-55182: Vulnerable Next version ${version} detected. Build blocked`);
+  }
+}
 
 // Loads the user's next.config.js file.
 export async function loadConfig(root: string, projectRoot: string): Promise<NextConfigComplete> {

@@ -9,7 +9,7 @@
     "lint": "next lint"
   },
   "dependencies": {
-    "next": "15.0.0",
+    "next": "15.0.5",
     "react": "^18",
     "react-dom": "^18"
   },