Next.js application platform, deployment workflow, and Vercel service status watch.
Vendor watch hub
The Vercel / Next.jswatch hub is a vendor-specific view inside ITECS MSP Threat Radar. We pull the latest security advisories, incidents, and known-exploited CVEs directly from the official feeds below, score each one for MSP relevance, and surface what's most likely to need attention this week.
At a glance
Tracked
Active
Featured
Unique CVEs
Most recent entry
May 21, 2026, 10:01 AM
Feed refreshes daily · 5:15 a.m. Central
Sources·Vercel status page (vercel-status.com)
"Most recent entry" is the newest item the upstream feed has published — not our sync time.
Watch items
Showing the 20 most recent items, newest first. Each row links to the official advisory.
20 rows · sorted newest first
Operations viewWe are currently investigating elevated build failures affecting a subset of Vite projects. Affected deployments may be timing out. We’ve identified an issue and are working on the fix.
We've identified an issue where some users may see missing Build CPU Minutes data on Usage pages in the Vercel Dashboard. The issue has been resolved, and we are backfilling the affected usage data.
We're investigating an issue where customers are currently experiencing application failures due to function invocation errors when using React Router 7.
We are investigating an issue where support cannot be submitted through the dashboard.
A vulnerability was found in vercel ai up to 3.0.97. The affected element is the function validateDownloadUrl of the file packages/provider-utils/src/download-blob.ts of the component provider-utils. The manipulation results in server-side request forgery. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
A vulnerability has been found in vercel ai up to 3.0.97. Impacted is the function run of the file .github/workflows/prettier-on-automerge.yml of the component PR Branch Name Interpolation. The manipulation leads to os command injection. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14000, the Turborepo LSP VS Code extension could execute shell commands derived from workspace-controlled values. The extension used string-based command execution for Turborepo daemon commands and task runs. A malicious workspace could provide crafted values through workspace settings or task names in the repository's source code that were interpolated into shell commands. When the extension activated or when a user ran a task through the extension, those values could be interpreted by the user's shell, allowing arbitrary command execution with the privileges of the local VS Code process. This vulnerability is fixed in 2.9.14000.
Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14, Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection executed yarn --version from the project directory, which could cause Yarn to load and execute a project-controlled yarnPath from .yarnrc.yml. An attacker who controls repository contents could cause code execution when a user or CI system runs affected turbo, @turbo/codemod, or @turbo/workspace conversion commands. This vulnerability is fixed in 2.9.14.
Workflow Storage Retention and Workflow Storage Writes are being incorrectly calculated in usage data. The team is investigating and working to resolve the discrepancy.
Between 1:30 to 3:44 UTC, messages in Vercel Queues in iad1 were enqueued but not processed, and Vercel Workflows were blocked from making progress (i.e. remaining in pending / active states). This is recovering, Vercel Queues backlogs are being processed, and Vercel Workflows are unblocked.
Between 18:36 and 19:04 UTC, issuing SSL certificates was delayed for new domains. These certificates have now been issued. Certificate renewals were not affected.
We've identified an issue where some customers may experience delays in builds starting and/or builds stuck in an initializing state. We are applying a fix and will provide additional updates as they become available.
Some Vercel functions that run in the IAD1 region are experiencing elevated invocation failures. We are investigating the issue and will share more information as it becomes available.
We are investigating an issue affecting new deployments that are stuck in the provisioning state. We will share more information as it becomes available.
We are experiencing increased error rates with Workflows running on Vercel. We have identified the issue and are implementing a fix.
We've identified an issue where various services in the Vercel dashboard, API, and CLI are failing to load data. These services include Observability, Speed Insights, Alerts, Usage, Web Analytics, Firewall, and CDN observability. Broadly, areas backed by analytical data are affected. We have identified the issue and are working on a fix. Production applications running on Vercel are not impacted.
Between 21:45–21:52 UTC, some users may have experienced request failures in ICN1. The issue has been identified, a fix has been applied, and the issue has been resolved.
Between May 1, 11:01 am – May 1, 11:09 am UTC, users may have seen increased function invocation errors for traffic originated near the ICN1 Vercel CDN region. Requests to static assets/cached content were unaffected this time. We have reverted the change that caused the issue to mitigate this.
We are currently investigating this issue.
We are currently investigating this issue.
| Alert | Exposure | Status | Published | Source |
|---|---|---|---|---|
Elevated Build ErrorsWe are currently investigating elevated build failures affecting a subset of Vite projects. Affected deployments may be timing out. We’ve identified an issue and are working on the fix. Builds | minor Watch | resolved | May 21, 2026, 10:01 AM | Status incidentOpen source |
Missing Build CPU Minutes Usage DataWe've identified an issue where some users may see missing Build CPU Minutes data on Usage pages in the Vercel Dashboard. The issue has been resolved, and we are backfilling the affected usage data. Builds | minor Watch | resolved | May 20, 2026, 3:07 PM | Status incidentOpen source |
Increased Function Invocation Errors - ERR_MODULE_NOT_FOUNDWe're investigating an issue where customers are currently experiencing application failures due to function invocation errors when using React Router 7. Edge Functions | minor Watch | resolved | May 18, 2026, 4:42 PM | Status incidentOpen source |
Support cases cannot be submittedWe are investigating an issue where support cannot be submitted through the dashboard. Support Chat | minor Watch | resolved | May 18, 2026, 10:00 AM | Status incidentOpen source |
ai vulnerability (CVE-2026-8768)A vulnerability was found in vercel ai up to 3.0.97. The affected element is the function validateDownloadUrl of the file packages/provider-utils/src/download-blob.ts of the component provider-utils. The manipulation results in server-side request forgery. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. ai | MEDIUMCVE-2026-8768 Watch | watch | May 17, 2026, 6:17 PM | NVDOpen source |
ai vulnerability (CVE-2026-8767)A vulnerability has been found in vercel ai up to 3.0.97. Impacted is the function run of the file .github/workflows/prettier-on-automerge.yml of the component PR Branch Name Interpolation. The manipulation leads to os command injection. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. ai | LOWCVE-2026-8767 Watch | watch | May 17, 2026, 6:17 PM | NVDOpen source |
turborepo language server protocol vulnerability (CVE-2026-46508)Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14000, the Turborepo LSP VS Code extension could execute shell commands derived from workspace-controlled values. The extension used string-based command execution for Turborepo daemon commands and task runs. A malicious workspace could provide crafted values through workspace settings or task names in the repository's source code that were interpolated into shell commands. When the extension activated or when a user ran a task through the extension, those values could be interpreted by the user's shell, allowing arbitrary command execution with the privileges of the local VS Code process. This vulnerability is fixed in 2.9.14000. turborepo language server protocol | HIGHCVE-2026-46508 Watch | watch | May 15, 2026, 11:16 AM | NVDOpen source |
turborepo vulnerability (CVE-2026-45772)Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14, Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection executed yarn --version from the project directory, which could cause Yarn to load and execute a project-controlled yarnPath from .yarnrc.yml. An attacker who controls repository contents could cause code execution when a user or CI system runs affected turbo, @turbo/codemod, or @turbo/workspace conversion commands. This vulnerability is fixed in 2.9.14. turborepo | NONECVE-2026-45772 Watch | watch | May 15, 2026, 11:16 AM | NVDOpen source |
Workflow usage amounts are incorrectly calculatedWorkflow Storage Retention and Workflow Storage Writes are being incorrectly calculated in usage data. The team is investigating and working to resolve the discrepancy. Workflow | minor Watch | resolved | May 15, 2026, 5:34 AM | Status incidentOpen source |
Vercel Queues, and Vercel Workflow runs were delayedBetween 1:30 to 3:44 UTC, messages in Vercel Queues in iad1 were enqueued but not processed, and Vercel Workflows were blocked from making progress (i.e. remaining in pending / active states). This is recovering, Vercel Queues backlogs are being processed, and Vercel Workflows are unblocked. Queues | minor Watch | resolved | May 8, 2026, 11:45 PM | Status incidentOpen source |
SSL Certificate Generation DelaysBetween 18:36 and 19:04 UTC, issuing SSL certificates was delayed for new domains. These certificates have now been issued. Certificate renewals were not affected. Next.js / Vercel | none Watch | resolved | May 8, 2026, 2:15 PM | Status incidentOpen source |
Delays Processing BuildsWe've identified an issue where some customers may experience delays in builds starting and/or builds stuck in an initializing state. We are applying a fix and will provide additional updates as they become available. Builds | minor Watch | resolved | May 8, 2026, 11:30 AM | Status incidentOpen source |
Elevated errors across multiple services in IAD1 (Washington, D.C., USA)Some Vercel functions that run in the IAD1 region are experiencing elevated invocation failures. We are investigating the issue and will share more information as it becomes available. Edge Functions | minor Watch | resolved | May 7, 2026, 8:18 PM | Status incidentOpen source |
Elevated Errors Creating New DeploymentsWe are investigating an issue affecting new deployments that are stuck in the provisioning state. We will share more information as it becomes available. Builds | minor Watch | resolved | May 7, 2026, 4:14 PM | Status incidentOpen source |
Increased error rate in WorkflowsWe are experiencing increased error rates with Workflows running on Vercel. We have identified the issue and are implementing a fix. Workflow | major Watch | resolved | May 5, 2026, 6:30 PM | Status incidentOpen source |
Failures to load data across multiple services on the Vercel dashboard, API, and CLIWe've identified an issue where various services in the Vercel dashboard, API, and CLI are failing to load data. These services include Observability, Speed Insights, Alerts, Usage, Web Analytics, Firewall, and CDN observability. Broadly, areas backed by analytical data are affected. We have identified the issue and are working on a fix. Production applications running on Vercel are not impacted. Dashboard | minor Watch | resolved | May 5, 2026, 10:15 AM | Status incidentOpen source |
Request Failures in ICN1 (Seoul, South Korea)Between 21:45–21:52 UTC, some users may have experienced request failures in ICN1. The issue has been identified, a fix has been applied, and the issue has been resolved. Next.js / Vercel | major Watch | resolved | May 4, 2026, 5:26 PM | Status incidentOpen source |
Elevated Functions Invocation Errors in ICN1 (Seoul, South Korea) RegionBetween May 1, 11:01 am – May 1, 11:09 am UTC, users may have seen increased function invocation errors for traffic originated near the ICN1 Vercel CDN region. Requests to static assets/cached content were unaffected this time. We have reverted the change that caused the issue to mitigate this. Edge Functions | none Watch | resolved | May 1, 2026, 6:30 AM | Status incidentOpen source |
Elevated Build ErrorsWe are currently investigating this issue. Builds | minor Watch | resolved | Apr 30, 2026, 1:57 PM | Status incidentOpen source |
Elevated Build Errors for Secure Compute/Static IPs ProjectsWe are currently investigating this issue. Builds | minor Watch | resolved | Apr 30, 2026, 12:30 PM | Status incidentOpen source |
Related vendors
ITECS response pathways
These pathways connect the vendor watch feed into service-owner resources that already carry commercial authority.
Use the website design & development pathway when this vendor alert needs an ITECS-managed response plan.
Connect the vendor watch page to broader managed detection, response, and governance planning.
Translate current watch items into a faster risk snapshot and prioritized remediation plan.
Return to the hub for cross-vendor prioritization, live filtering, and broader MSP threat context.
Vendor watch FAQ
It is the Vercel / Next.js-specific view inside ITECS Threat Radar, built to track recent advisories, incidents, and watch items that may affect Dallas-area business operations.
Use it to confirm whether current Vercel / Next.js issues overlap with your environment, prioritize remediation, and decide whether you need an assessment, managed security follow-through, or vendor-specific hardening work.
Yes. ITECS can help map Vercel / Next.js advisories against your systems, validate affected services, prioritize remediation, and connect the issue to broader managed cybersecurity or managed IT workflows.