We recently disclosed a critical vulnerability in Next.js, which was discovered through private GitHub reporting. The vulnerability affected older versions of Next.js (12.x) and impacted self-hosted applications using `next start` and standalone output. After investigating the report, our security team confirmed the validity of the issue and began researching remediation options. We released patches for Next.js 14.2.25 and 15.2.3, and also published a changelog on Vercel stating that customers were protected. The vulnerability was later made public by GitHub, but we had already communicated with affected partners and provided additional support. Our team is now improving how issues get reported, enhancing our process for responding to disclosures, and implementing new security measures to prevent similar vulnerabilities in the future.