Appreciate that v0 called out the Next.js CVE. That was helpful! I’ll upgrade my repo.
I wanted to flag that the yellow notice in the preview has the “Fix with v0, it is free” button, but that button is not clickable. I click it and nothing happens. I tried to just say manually in the prompt, “I’m on Next.js 15.2.4, there is a known CVE and I want to upgrade to the latest security patch.” Here was the response:
Based on my research, Next.js 15.2.4 actually includes the security patch for CVE-2025-29927. However, let me search for the absolute latest version to ensure you have the most recent release:
Checked latest Next.js versionGood news! According to the latest information, Next.js 15.2.4 actually contains the security patch for the CVE-2025-29927 vulnerability. However, if you’d like to upgrade to the absolute latest version (which appears to be 15.5 or later), you’ll need to unlock the package.json file first.
So .. clearly this is going to the LLM’s base knowledge of CVEs and the version of Next.js, and not pulling in the latest CVE context.
Reallly?
Must be something else. I literally clicked the “Fix for free” on all of these messages on my projects and it worked right away and just fine.
If that Fix for free button still isnt working (but it really should and I had no experience of it not working), you can always just run this in the prompt:
upgrade the Next.js dependency from version 16.0.3 to 16.0.7. Make sure all other dependencies including React 19.2.0 and the React Three Fiber libraries remain compatible with this Next.js version.
It will run it and fix up all you need and only cost around .074 credits. but again, it should work for you.
Hope it did in the end.
Button is clickable but after clicking “Fix it” there is an error: “Failed to apply fix. Please try again.”.
After update of Next.js and libraries still that warning occurs.
Security Vulnerability Detected
This app uses Next.js 16.0.0 which has a recently discovered security flaw. Click below to upgrade to a secure version. Your published projects are protected by our platform level protections. Learn more
Ah ok interesting. Hmmm…. then I am thinking just updating the prompt to say that would work just fine.
But as Pauline said, seems the team is looking into it.
Still getting this error however which stops the preview from working, is this a known bug ?
Unhandled promise rejection: InvalidCharacterError: Failed to execute 'btoa' on 'Window': The string to be encoded contains characters outside of the Latin1 range.
Yeah, explicitly specifying the patch version worked. The summarized answer is wrong – my package.json was indeed fixed without a problem.
Also, FYI, the Fix with button worked this morning after a hard refresh. I suspect the issue is that I still have a long-standing issue where another run-time dependency issues in the Next.js preview environment was showing up. Perhaps that was somehow blocking the Next.js security patch “Fix with” button from being clickable. But now it is.
Appreciate your patience, folks!
