opennextjs · vicb · Dec 11, 2025 · Dec 11, 2025
diff --git a/.changeset/salty-beers-float.md b/.changeset/salty-beers-float.md
@@ -0,0 +1,13 @@
+---
+"@opennextjs/aws": patch
+---
+
+Bump Next and React to fix vulnerabilities (CVE-2025-55184 and CVE-2025-55183)
+
+Note that Next 13 has been removed from the allowed peer Dependency range,
+because it is vulnerable under specific conditions.
+
+If possible we will check the conditions at build time and relax the peer dependency.
+
+See <https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components>
+See <https://nextjs.org/blog/security-update-2025-12-11>
diff --git a/packages/open-next/package.json b/packages/open-next/package.json
@@ -64,7 +64,7 @@
     "typescript": "catalog:"
   },
   "peerDependencies": {
-    "next": "< 14.2 || ^14.2 || 14.3.0-canary.0 - 14.3.0-canary.76 || ~15.0.5 || ~15.1.9 || ~15.2.6 || ~15.3.6 || ~15.4.8 || ~15.5.7 || ^16.0.7"
+    "next": "^14.2.34 || ~15.0.6 || ~15.1.10 || ~15.2.7 || ~15.3.7 || ~15.4.9 || ~15.5.8 || ^16.0.9"
   },
   "bugs": {
     "url": "https://github.com/opennextjs/opennextjs-aws/issues"