New deployments with vulnerable versions of the third-party package next-mdx-remote are now blocked by default

Vercel now automatically blocks deployments using vulnerable versions of the third-party package next-mdx-remote affected by CVE-2026-0969.

• •New deployments containing vulnerable next-mdx-remote versions will automatically fail on Vercel
• •Upgrading to a patched version is strongly recommended regardless of hosting provider
• •The automatic protection can be disabled via the DANGEROUSLY_DEPLOY_VULNERABLE_CVE_2026_0969=1 environment variable

This summary was automatically generated by AI based on the original article and may not be fully accurate.