Next.js EOL Dates: Version Support Timeline (9 Through 16)

Next.js powers a large share of production React applications, from marketing sites to enterprise dashboards and full-stack platforms. It is one of the most-depended-on packages on npm, with tens of millions of weekly downloads of the next package. Vercel ships a new major version roughly once a year, and each major now carries a fixed support clock: two years from its initial release, then end of life.

That clock matters. Next.js 14 reached end of life on October 26, 2025. Next.js 13 and everything before it are already unsupported. And a wave of CVEs disclosed across 2025 and into 2026 (a critical middleware authorization bypass, SSRF, cache poisoning, content injection, and multiple denial-of-service flaws) landed squarely on versions that no longer receive patches.

This guide is the definitive reference for every Next.js major version: when it shipped, when its support window closes, the CVEs that affect it, and what your options are once you cross into EOL.

‍

How Next.js's Support Policy Works

Next.js follows semantic versioning and an official two-phase LTS model, published on the Next.js Support Policy page:

• Active LTS: A major version enters Active LTS the moment it is released and stays there until the next major ships. During Active LTS it receives new features, regular bug fixes, performance improvements, and security patches. This is the phase you want to be on in production.
• Maintenance LTS: When a new major is released, the previous major transitions to Maintenance LTS. In this phase Next.js ships only critical bug fixes and essential security updates: no new features. Updates land as semver-minor releases, even when they contain breaking changes.
• End of Life (EOL): Each major version remains in Maintenance LTS for two years following its initial release date. After that two-year window closes, the version is unsupported. No security patches, no bug fixes, no compatibility work.

The detail that trips teams up: the two-year clock runs from the initial release date of the major, not from the date it entered Maintenance LTS. A version released in October 2023 reaches EOL in October 2025, regardless of when the next major shipped. Patches are sometimes backported to out-of-policy versions at the team's discretion, but that is not guaranteed and should never be part of a production risk plan.

Next.js also publishes two release channels: stable and canary. Only stable is suitable for production.

‍

Complete Next.js Version Timeline

The table below covers every Next.js major version, its release date, its security support status, and the latest patch release on that line. EOL dates are derived from Vercel's published policy (initial release date plus two years) and cross-checked against endoflife.date/nextjs.

VersionRelease DateSecurity Support Ends (EOL)StatusLatest ReleaseNext.js 16Oct 22, 2025Oct 22, 2027 (projected)Active LTS16.2.6Next.js 15Oct 21, 2024Oct 21, 2026Maintenance LTS15.5.18Next.js 14Oct 26, 2023Oct 26, 2025EOL14.2.35Next.js 13Oct 25, 2022Dec 21, 2024EOL13.5.11Next.js 12Oct 26, 2021Nov 21, 2022EOL12.3.7Next.js 11Jun 15, 2021Jan 27, 2022EOL11.1.4Next.js 10Oct 27, 2020Jun 15, 2021EOL10.2.3Next.js 9Jul 8, 2019Oct 27, 2020EOL9.5.5

Note: versions 9 through 13 predate Vercel's formalized two-year LTS policy, so their support windows ended on the older "supported until the next-next major" model reflected in endoflife.date. The clean two-year clock applies cleanly to versions 14 and later. Next.js 16's projected EOL assumes the published two-year policy holds.

‍

Versions Reaching EOL Next: What to Watch

Next.js 15 End of Life: October 21, 2026

Next.js 15 is currently in Maintenance LTS and loses all official support on October 21, 2026. It still receives critical security patches until then, which makes the next several months the window to plan a clean upgrade to Next.js 16 rather than a rushed one under audit pressure.

Next.js 15 was directly affected by the May 2026 security release, in which Vercel patched 13 advisories spanning middleware bypass, denial of service, SSRF, cache poisoning, and cross-site scripting. Those fixes shipped in 15.5.18 (and 16.2.6). Critically, earlier minors of 15.x were not patched; affected projects must move to the patched minor. Teams pinned to an old 15.x minor are carrying the same exposure as an EOL version until they update.

Next.js 14 End of Life: October 26, 2025 (Already EOL)

Next.js 14 reached end of life on October 26, 2025, two years after its initial release. It received a final patch (14.2.35) on December 11, 2025, but it is now outside the support policy. The 14.x line was heavily affected by the 2025 CVE wave:

• CVE-2025-29927 (CVSS 9.1, Critical): Middleware authorization bypass. Fixed in 14.2.25.
• CVE-2025-57822 (CVSS 6.5, Medium): SSRF via improper middleware redirect handling. Fixed in 14.2.32.
• CVE-2025-57752 (CVSS 6.2, Medium): Image Optimization cache key confusion leading to unauthorized disclosure. Fixed in 14.2.31.
• CVE-2025-55173 (CVSS 4.3, Medium): Image Optimization content injection enabling malicious file delivery. Fixed in 14.2.31.

Any 14.x deployment below those patch levels is exploitable, and because 14.x is now EOL, no further 14.x fixes are guaranteed for CVEs disclosed after the support window closed.

Next.js 13 and Earlier: Fully Unsupported

Next.js 13 (EOL December 21, 2024), 12, 11, 10, and 9 are all unsupported. CVE-2025-29927 alone affected versions 11.1.4 through the pre-fix 13.x, 14.x, and 15.x releases, and the official fix for the 12.x and 13.x lines (12.3.5 and 13.5.9) was a courtesy backport, not a support commitment. Newer CVEs like the Image Optimization and RSC flaws are simply not being patched on these lines. As HeroDevs' vulnerability directory entry for CVE-2025-57752 notes, Next.js 13 and older will not receive updates to address that issue.

‍

The Next.js CVEs Driving EOL Risk

The single most important Next.js vulnerability to date is the middleware authorization bypass. It is the textbook case for why an unpatched, EOL Next.js version is an active liability rather than passive technical debt.

CVE-2025-29927: Middleware Authorization Bypass

Disclosed March 21, 2025 with a CVSS score of 9.1 (Critical), CVE-2025-29927 lets an attacker skip Next.js middleware entirely by sending a crafted internal header, x-middleware-subrequest. Because middleware is the layer where many applications enforce authentication, authorization, route protection, redirects, and CSP headers, bypassing it can expose protected admin routes and sensitive APIs to unauthenticated requests.

Affected and fixed versions:

BranchAffectedFixed In15.x< 15.2.315.2.314.x< 14.2.2514.2.2513.x>= 13.0.0, < 13.5.913.5.912.x>= 12.0.0, < 12.3.512.3.511.x11.1.4 and upNo in-policy fix

The exposure is specific to self-hosted deployments using next start (applications on Vercel and Netlify were not affected by design). If you cannot patch, the documented mitigation is to strip or block external requests carrying the x-middleware-subrequest header at your reverse proxy or load balancer. For EOL versions like 11.x where no official patch exists, that header-stripping mitigation, or a maintained drop-in replacement, is the only path to closing the hole.

For a full walkthrough of the bypass, the exploit mechanics, and remediation options, see HeroDevs' deep dive: Authorization Bypass in Next.js Middleware (CVE-2025-29927): What You Need to Know.

Other Notable Next.js CVEs (2025–2026)

• CVE-2025-49826 (High): Cache poisoning leading to DoS, where an HTTP 204 response could be cached and served to all users of a static page. Affected 15.1.x; fixed in 15.1.8.
• CVE-2025-57822 (Medium): SSRF via improper middleware redirect handling when next() is called without explicitly passing the request object. Affected self-hosted apps before 14.2.32 and 15.4.7.
• CVE-2025-57752 (Medium): Image Optimization cache key confusion that can leak user-specific image content (served from cache without the original request's auth headers in the cache key). Fixed in 14.2.31 and 15.4.5.
• CVE-2025-55173 (Medium): Image Optimization content injection allowing attacker-controlled image sources to trigger downloads with arbitrary content and filenames. Fixed in 14.2.31 and 15.4.5.
• May 2026 advisory cluster: 13 advisories patched in 15.5.18 and 16.2.6, including DoS in React Server Components, SSRF in apps using WebSocket upgrades, cache poisoning in RSC responses, and XSS in App Router applications using CSP nonces.

For a closer look at the two Image Optimization flaws, HeroDevs has a dedicated breakdown: Two New Next.js Vulnerabilities: Content Injection and Cache Deception in the Image Optimizer.

The pattern is clear: Next.js's attack surface has grown alongside its server-side feature set (middleware, Image Optimization, Server Actions, React Server Components), and each new class of CVE lands on whatever versions are still in the wild. Versions past EOL accumulate this exposure permanently.

‍

What Happens After End of Life

When a Next.js major reaches EOL, three things happen, and none of them are theoretical:

1. Security patches stop. New CVEs disclosed against the line go unpatched. The 2025–2026 Next.js CVEs show how fast this matters: a 9.1-severity auth bypass disclosed in March 2025 received official fixes only down to 12.3.5, and the Image Optimization and RSC vulnerabilities that followed were never backported to 13.x or earlier. An EOL Next.js app is permanently exposed to every server-side CVE found after its window closed.
2. Compatibility degrades. Next.js is tightly coupled to React and the Node.js runtime. As React advances (Server Components, the React Flight protocol) and Node.js majors hit their own EOL, an unmaintained Next.js version falls out of step with the runtime and dependency ecosystem around it. Upgrading Node or a major dependency later becomes a forced, high-risk migration.
3. Compliance audits flag it. SOC 2, PCI DSS, HIPAA, FedRAMP, and the EU Cyber Resilience Act all expect organizations to run supported software with a patching path for known vulnerabilities. A dependency scanner that finds Next.js 13 with an open critical CVE will flag it as EOL/obsolete software, and that finding has to be remediated or formally risk-accepted before an audit passes.

‍

Options for EOL Next.js Versions

There are three legitimate paths once your version is past EOL. The right one depends on your timeline, your appetite for refactoring, and your compliance deadlines.

1. Upgrade to a supported version. Moving to Next.js 16 (Active LTS) or 15 (Maintenance LTS until October 2026) is the best long-term answer. Next.js 15+ ships an automated upgrade codemod (npx @next/codemod@latest upgrade latest). The real cost is not the version bump itself but the surrounding work: the App Router migration if you are still on the Pages Router, React 19 compatibility, and the breaking changes that Maintenance LTS ships as semver-minor releases. Budget for testing, not just the upgrade command.

2. Migrate to a different framework. Some teams treat an EOL event as the trigger for a larger architectural change (to Remix, Astro, a plain React SPA, or another stack). This is the most expensive and time-consuming option, and your EOL Next.js app keeps accumulating unpatched exposure for the entire duration of the migration. Only choose this when there is a real architectural reason beyond "we're stuck on an old version."

3. Adopt commercial extended support. HeroDevs Never-Ending Support (NES) for Next.js provides a drop-in replacement for EOL Next.js versions, with continued security patches delivered the day OSS support ends: no gap in coverage. NES for Next.js already includes a patch for CVE-2025-29927, so organizations still on Next.js 11 or 12 can close the critical middleware bypass without an emergency migration. Installation is a package.json change pointing at the NES private registry plus a rebuild, with no application code changes. NES carries SLAs aligned to SOC 2, FedRAMP, PCI DSS, and HIPAA, which is what makes it a defensible answer to an auditor rather than a workaround. This is the right fit when you need to stay secure and compliant on your current version while you plan an upgrade deliberately, on your own timeline.

For CVE-by-CVE coverage details, the HeroDevs vulnerability directory tracks the specific Next.js advisories NES remediates. If you are weighing the risk of staying on an unsupported line, CVE-2026-29057 and CVE-2026-27980: Two New Vulnerabilities Affecting End-of-Life Next.js shows how new flaws keep landing on EOL versions long after the support window closes.

‍

Quick Reference: Is My Next.js Version Supported?

Version RangeStatusRecommended Action16.xActive LTSStay current with patch releases15.x (latest minor)Maintenance LTS until Oct 21, 2026Plan upgrade to 16; update to the patched minor now15.x (old minor)UnpatchedUpdate to 15.5.18+ immediately14.xEOL (Oct 26, 2025)Upgrade to 16, or adopt NES to stay patched13.x and earlierEOLUpgrade, or adopt NES for continued security + compliance

‍

Frequently Asked Questions

When does Next.js 15 reach end of life?

Next.js 15 reaches end of life on October 21, 2026, two years after its initial release on October 21, 2024. It is currently in Maintenance LTS and receives only critical bug fixes and essential security updates until that date.

Is Next.js 14 still supported?

No. Next.js 14 reached end of life on October 26, 2025. It received a final patch (14.2.35) in December 2025, but it is now outside the official support policy and will not receive guaranteed security patches for newly disclosed CVEs.

How long is each Next.js version supported?

Each Next.js major version is supported for two years from its initial release date. It starts in Active LTS (new features plus fixes plus security patches) until the next major ships, then moves to Maintenance LTS (critical fixes and security patches only) for the remainder of the two-year window.

What is the difference between Active LTS and Maintenance LTS in Next.js?

Active LTS versions receive new features, regular bug fixes, performance improvements, and security patches. Maintenance LTS versions receive only critical bug fixes and essential security updates, with no new features, and those updates ship as semver-minor releases for the rest of the two-year support window.

Does Next.js provide security support after end of life?

No. Once a Next.js major reaches EOL, the core team no longer ships patches, bug fixes, or security updates for that line. Continued security coverage requires either upgrading to a supported version or using commercial extended support such as HeroDevs NES for Next.js.

What is the most serious Next.js CVE?

CVE-2025-29927, a middleware authorization bypass with a CVSS score of 9.1, is the most severe Next.js vulnerability disclosed to date. It lets attackers skip middleware-based authentication and authorization by sending a crafted x-middleware-subrequest header, and it affected self-hosted Next.js versions from 11.1.4 through the pre-fix 15.x releases.

‍

What to Do Now

Next.js's two-year support clock and annual release cadence mean that staying current is a recurring, plannable cost, not a one-time event. The danger is letting a version quietly cross its EOL date while the server-side CVEs keep coming. If you are on Next.js 14 or earlier, you are already there.

Identify your version (npx next --version), check it against the timeline above, and choose a path: upgrade to 16, migrate, or secure your current version with extended support. The one option that is not viable is leaving an EOL version unpatched in production.

If your organization is running an end-of-life version of Next.js, explore NES for Next.js or contact HeroDevs to discuss keeping it secure and compliant while you plan your upgrade.