This just cropped up today…super strange. When I went to publish my changes, it gave me a warning that my code contained a known CVE (the React2Shell vulnerability). The strange thing though is that I upgraded to Next 15.5.7 weeks ago when the CVE was discovered. So I opened my package.json in the file editor in v0, and it shows 15.2.6 (I clicked into the latest version). Yet when I do a fetch & pull at my command line and open the same package.json on my local computer, it still shows Next 15.5.7.
Just to be sure, I published, rebuilt my code, and can confirm that I’m still running Next 15.5.7. When I hard refresh the file editor though it still shows the outdated package.json, and a reference to 15.2.6. Not sure what will happen next…but it feels like something inside of v0 will seriously break soon if it thinks I’m using an old set of dependencies.
Hey all. Actually I figured it out – user error mixed with some bad documentation on Next.js’s side regarding affected Next.js versions. To summarize:
My changes to the base version of Next.js hadn’t been checked in, but were being applied in my deployment pipeline (long story…like I said, user error). So v0 correctly thought I was using an old version, even though it was deploying with a new version.
That said, Next.js’s documentation said I need to upgrade to 15.2.6 or newer, and I was already on 15.2.6, which is where my confusion stemmed from
The CVE has been updated to indicate that 15.2.6 is now ALSO impacted by the CVE, and needs to be updated. So v0 was correctly noticing that 15.2.6 has a vulnerability, even though it previously didn’t.
In my case, I needed to upgrade to 15.5.9 since I was already on 15.5.7. Likewise, 15.2.6 is not a safe patched release anymore. This appears to be the old list of patched versions from the original CVE report.
