Block vulnerable nextjs versions. (#442)

* Block vulnerable nextjs versions.

* test

* some cleanup

* lint

* more tests

Author: annajowang

package-lock.json

@@ -61,7 +61,7 @@
     "@types/tmp": "*",
     "mocha": "*",
     "next": "~14.0.0",
-    "semver": "*",
+    "semver": "^7.7.3",
     "tmp": "*",
     "ts-mocha": "*",
     "ts-node": "*",

packages/@apphosting/adapter-nextjs/package.json

@@ -6,6 +6,7 @@ import {
   validateOutputDirectory,
   getAdapterMetadata,
   exists,
+  checkNextJSVersion,
 } from "../utils.js";
 import { join } from "path";
 import { getBuildOptions, runBuild } from "@apphosting/common";
@@ -24,6 +25,7 @@ process.env.NEXT_PRIVATE_STANDALONE = "true";
 // Opt-out sending telemetry to Vercel
 process.env.NEXT_TELEMETRY_DISABLED = "1";
 
+checkNextJSVersion(process.env.FRAMEWORK_VERSION);
 const nextConfig = await loadConfig(root, opts.projectDirectory);
 
 /**

packages/@apphosting/adapter-nextjs/src/bin/build.ts

@@ -6,6 +6,52 @@ import path from "path";
 import os from "os";
 import { RoutesManifest, MiddlewareManifest } from "../src/interfaces.js";
 
+describe("block vulnerable nextjs versions", () => {
+  it("check for vulnerable versions", async () => {
+    const { checkNextJSVersion } = await importUtils;
+
+    assert.throws(() => {
+      checkNextJSVersion("15.0.0");
+    });
+
+    assert.doesNotThrow(() => {
+      checkNextJSVersion(undefined);
+    });
+
+    assert.doesNotThrow(() => {
+      checkNextJSVersion("15.0.5");
+    });
+
+    assert.doesNotThrow(() => {
+      checkNextJSVersion("14.0.12");
+    });
+
+    assert.throws(() => {
+      checkNextJSVersion("14.3.0-canary.77");
+    });
+
+    assert.throws(() => {
+      checkNextJSVersion("14.3.0-canary.78");
+    });
+
+    assert.doesNotThrow(() => {
+      checkNextJSVersion("14.3.0-canary.76");
+    });
+
+    assert.throws(() => {
+      checkNextJSVersion("15.0.0-canary.2");
+    });
+
+    assert.throws(() => {
+      checkNextJSVersion("16.0.6");
+    });
+
+    assert.doesNotThrow(() => {
+      checkNextJSVersion("16.0.7");
+    });
+  });
+});
+
 describe("manifest utils", () => {
   let tmpDir: string;
   let distDir: string;

packages/@apphosting/adapter-nextjs/src/utils.spec.ts

@@ -1,4 +1,5 @@
 import fsExtra from "fs-extra";
+import semVer from "semver";
 import { createRequire } from "node:module";
 import { join, dirname, relative, normalize } from "path";
 import { fileURLToPath } from "url";
@@ -17,6 +18,21 @@ import { OutputBundleConfig, updateOrCreateGitignore } from "@apphosting/common"
 // fs-extra is CJS, readJson can't be imported using shorthand
 export const { copy, exists, writeFile, readJson, readdir, readFileSync, existsSync, ensureDir } =
   fsExtra;
+export const { satisfies } = semVer;
+
+const SAFE_NEXTJS_VERSIONS =
+  ">=16.1.0 || ^16.0.7 || ^v15.5.7 || ^v15.4.8 || ^v15.3.6 || ^v15.2.6 || ^v15.1.9 || ^v15.0.5 || <14.3.0-canary.77";
+
+export function checkNextJSVersion(version: string | undefined) {
+  if (!version) {
+    return;
+  }
+  if (!satisfies(version, SAFE_NEXTJS_VERSIONS)) {
+    throw new Error(
+      `CVE-2025-55182: Vulnerable Next version ${version} detected. Deployment blocked. Update your app's dependencies to a patched Next.js version and redeploy:https://nextjs.org/blog/CVE-2025-66478#fixed-versions`,
+    );
+  }
+}
 
 // Loads the user's next.config.js file.
 export async function loadConfig(root: string, projectRoot: string): Promise<NextConfigComplete> {

packages/@apphosting/adapter-nextjs/src/utils.ts

@@ -9,7 +9,7 @@
     "lint": "next lint"
   },
   "dependencies": {
-    "next": "15.0.0",
+    "next": "15.0.5",
     "react": "^18",
     "react-dom": "^18"
   },