"Payload has transformed the way our clients manage content. It's an indispensable tool for any modern agency."
Microsoft chose Payload to tell the world about AI.
We just released a patch that bumps Payload’s Next.js peer dependency to 15.2.3 to address a recent security vulnerability in Next.js middleware.
You can read the full advisory on the Next.js blog and reference the Payload release here.
It’s important to note that this vulnerability does not affect any of Payload’s core functionality—Payload doesn’t use any Next.js middleware internally, and all authentication is handled by Payload itself. Each of our endpoints and admin UI views are protected separately via Payload internal logic.
In addition, Payload's auth methods (payload.auth) aren't even yet available in Next.js middleware - so there would be no way for Payload authentication logic to be misused within Next.js middleware.
That said, you may be impacted if you've built or are using additional Next.js middleware outside of Payload. For this reason, we're bumping our minimum Next.js dependency for Payload versions 3.30.0 and up just to err on the side of safety for everyone.
In any case, we strongly recommend upgrading your Next.js version to one of the patched releases:
- 15.x → 15.2.3
- 14.x → 14.2.25
- 13.x → 13.5.9
- 12.x → 12.3.5
The silver lining of all this is that Next.js compilation has been getting faster and faster - so, by updating, you'll ideally see your dev mode compilation time decrease.
There are no breaking changes with this release, as we only require a Next.js peer dependency and don't install it on your behalf. However, if you have questions, feel free to give us a shout in Discord or Github.