CVE-2025-66478 with Canary versions (using PPR)

[rodyvansambeek]

Summary

With the newly published CVE-2025-66478, I’m trying to upgrade several projects still running on Next.js 15 canary. These apps rely heavily on Partial Prerendering (PPR), and upgrading to Next.js 16 with Cache Components is not an option yet.

However, when upgrading to the latest patched 15.x release, Next.js now rejects the PPR config:

The experimental feature "experimental.ppr" can only be enabled when using the latest canary version of Next.js.

This puts us in a difficult position:
We need a patched 15.x version to fix the security vulnerability.
But the patched 15.x builds block experimental.ppr, making existing PPR-based applications impossible to run.

Downgrading to a 14.x canary to re-enable PPR is not viable.

What is the recommended path for teams who need to stay on Next.js 15 and rely on PPR, but must also patch for CVE-2025-66478?
Is there a supported migration path, a temporary flag, or guidance for safely keeping PPR enabled on patched 15.x releases?

Additional information

No response

Example

No response

[icyJoseph]

Please see: #86813

The path is as follows, pick a stable version, and enable experimental features by patching it with the patches defined in that link.

[rodyvansambeek]

@icyJoseph Maybe a good idea to add this information, or at least a link to #86813, in the blogpost as well:

Because there it was stated explicitly that:

If you are on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release.

[icyJoseph]

Thanks for the feedback, I should also let you know that https://github.com/vercel/next.js/releases/tag/v15.6.0-canary.58 was released, specifically for those who only care about experimental PPR + the CVE Patch