Netlify Release Notes

The Node.js team has released a security update addressing a denial-of-service vulnerability affecting applications that use async_hooks (including in dependencies). Here’s what Netlify customers need to know.

Vulnerability

When async_hooks are enabled on certain versions of Node.js, a stack overflow causes the Node.js process to exit immediately rather than throw a catchable error. This bypasses try-catch blocks and uncaught exception handlers entirely.

A malicious actor could send a crafted payload to crash a server.

Note that many common tools and frameworks use async_hooks under the hood, notably APM and tracing tools (e.g. DataDog, NewRelic, OpenTelemetry) as well as Next.js App Router and other React Server Components implementations. You can find more details on that here.

Impact on Netlify

This is a server-side denial-of-service (DoS) vulnerability. On Netlify, this has minimal impact: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your cold starts and your function costs.

Note that Node.js used during your project’s build is not impacted at all.

What should I do?

If you have opted your Netlify Functions into Node.js 18, we recommend upgrading to Node.js 20 or later. Node.js 18 reached end-of-life in April 2025 and thus will not be patched.

Otherwise, there is no action for you to take. Although this CVE’s impact to Netlify sites is limited, deployed Netlify Functions will be updated to patched Node.js versions automatically on a rolling basis.

For completeness, please note that the Node.js version used during your project’s build is not relevant to this CVE. There is no action for you to take and this will not be automatically patched.

Resources

• Node.js security release announcement
• Netlify Functions Node.js version configuration

Original source Report a problem

Vulnerabilities

The Svelte team has disclosed five CVEs affecting the Svelte and SvelteKit ecosystem. Here’s what Netlify customers need to know.

• CVE-2026-22775: Memory/CPU exhaustion in devalue (5.1.0–5.6.1)
• CVE-2026-22774: Memory exhaustion in devalue (5.3.0–5.6.1)
• CVE-2026-22803: Server crash in @sveltejs/kit (2.49.0–2.49.4)
• CVE-2025-67647: Server crash and SSRF in @sveltejs/kit (2.44.0–2.49.4) and @sveltejs/adapter-node (2.19.0–2.49.4)
• CVE-2025-15265: XSS in svelte (5.46.0–5.46.3)

Impact on Netlify

CVE-2026-22775, CVE-2026-22774, and CVE-2026-22803
These are server-side denial-of-service (DoS) vulnerabilities. On Netlify, these have minimal impact: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your function costs.

In addition, note that only sites using the experimental Remote Functions feature are affected.

CVE-2025-67647
As above, this DoS vulnerability involves intentionally “crashing” a server. On Netlify, this has minimal impact.

The SSRF vulnerability affects a @sveltejs/adapter-node, which is not used by apps deployed to Netlify.

CVE-2025-15265
This is a client-side cross-site scripting (XSS) vulnerability. Regardless of hosting provider, all apps using the experimental hydratable with unsanitized user-controlled keys are vulnerable.

What should I do?

Although the impact to Netlify sites is limited in this case, we always strongly recommend upgrading as soon as possible to patched releases:

• devalue 5.6.2 or later
• @sveltejs/kit 2.49.5 or later
• @sveltejs/adapter-node 5.5.1 or later
• svelte 5.46.4 or later

Resources

Svelte team disclosure

Original source Report a problem

OpenAI GPT-5.2-Codex in Netlify AI Gateway

OpenAI’s GPT-5.2-Codex model is now available through Netlify’s AI Gateway and Agent Runners with zero configuration required.

Use the OpenAI SDK directly in your Netlify Functions without managing API keys or authentication. The AI Gateway handles everything automatically. Here’s an example using the GPT-5.2-Codex model:

import OpenAI from 'openai';

export default async () => {
  const openai = new OpenAI();
  const response = await openai.responses.create({
    model: 'gpt-5.2-codex',
    input: 'How does AI work?'
  });
  return new Response(JSON.stringify(response), {
    headers: {
      'Content-Type': 'application/json'
    }
  });
};

GPT-5.2-Codex is available across Background Functions, Scheduled Functions, and Agent Runners. You get automatic access to Netlify’s caching, rate limiting, and authentication infrastructure.

Learn more in the AI Gateway documentation and Agent Runners documentation.

Original source Report a problem

Prerender.io extension

The third-party Prerender.io service for advanced prerendering is now available as an extension for all Netlify customers.

Previously, you needed a Netlify Pro plan or higher to set up Prerender.io with Netlify’s legacy in-app prerendering feature.

Prerender.io offers advanced configuration options and the Prerender.io dashboard. Learn more about the Prerender.io extension from the extension details page.

If you previously set up Prerender.io using Netlify’s legacy in-app prerendering feature, you need to update your configuration to continue using it this year. Learn more about your next steps and how to check if you need to update your configuration.

To check if your project still needs prerendering, see our prerendering needs checker documentation.

Configuration updates required for existing users

If you have a Netlify Pro plan and you set up the Prerender.io service with Netlify’s legacy prerendering feature (most likely before January 6, 2026), you’ll need to update your configuration to continue using it this year.

To check if your project is using Netlify’s legacy in-app prerendering feature, go to Project configuration > Build & deploy > Post processing > Prerendering from your Netlify project dashboard to see if the legacy prerendering feature is enabled.

Updates are required because Prerender.io no longer relies on Netlify’s legacy in-app prerendering feature, which is being deprecated and will stop working later this year.

Follow our migration steps to update your configuration before these key dates:

Date Impacted plans February 17, 2026 The feature will be disabled for customers on Personal or Pro plans (legacy or credit-based) March 17, 2026 The feature will be disabled for Enterprise and all other specialized plans.

Learn more about this migration process in this migration post.

You can also reach out to Netlify Support for help.

Original source Report a problem

Google’s Gemini 3 Flash Preview via AI Gateway

Google’s Gemini 3 Flash Preview is now available through AI Gateway. You can call this model from Netlify Functions without configuring API keys; the AI Gateway provides the connection to Google for you.

Example usage in a Function:

import { GoogleGenAI } from '@google/genai';

export default async (request: Request, context: Context) => {
  const ai = new GoogleGenAI();
  const response = await ai.models.generateContent({
    model: 'gemini-3-flash-preview',
    contents: 'How does AI work?'
  });
  return new Response(JSON.stringify({ answer: response.text }), {
    headers: {
      'Content-Type': 'application/json'
    }
  });
};

This model works across any function type and is compatible with other Netlify primitives such as caching and rate limiting, giving you control over request behavior across your site.

See the AI Gateway documentation for details.

Original source Report a problem

OpenAI’s GPT-image-1.5 is now available through AI Gateway

You can call this model from Netlify Functions without configuring API keys; the AI Gateway provides the connection to OpenAI for you.

Example usage in a Function:

import OpenAI from 'openai';
const ai = new OpenAI();

export default async (req, context) => {
  const response = await ai.images.generate({
    model: 'gpt-image-1.5',
    prompt: 'Generate a realistic image of a golden retriever working in an office',
    n: 1,
    size: '1024x1024',
    quality: 'low',
    output_format: 'jpeg',
    output_compression: 80
  });

  const imageBase64 = response.data[0].b64_json;
  const imageBuffer = Uint8Array.from(atob(imageBase64), c => c.charCodeAt(0));

  return new Response(imageBuffer, {
    status: 200,
    headers: {
      'content-type': 'image/jpeg',
      'cache-control': 'no-store'
    }
  });
}

This model works across any function type and is compatible with other Netlify primitives such as caching and rate limiting, giving you control over request behavior across your site.

See the AI Gateway documentation for details.

Original source Report a problem

Availability

AI Gateway is now generally available (GA) for all Netlify users. Build AI-powered apps with confidence using our fully managed gateway that handles AI model keys, setup, and monitoring automatically.

For a deeper dive into AI Gateway capabilities, check out our latest blog post.

For a video overview of how the AI Gateway works with a fun demo project, check out our AI Gateway gameshow demo.

For other AI Gateway example projects, check out these videos:

• AI agent generates blog post images
• AI agent summarizes form submissions

Learn more in our AI Gateway documentation.

Availability

To use AI Gateway, you must have a Credit-based plan or an enabled Enterprise plan.

Learn more about pricing for AI features and monitoring their usage.

To request access to the AI Gateway for an Enterprise plan, reach out to your Netlify account manager.

Original source Report a problem

Netlify Observability

Netlify Observability offers real-time visibility into your project’s production performance and resource usage.
Monitor requests, bandwidth, runtime behavior, functions, and Edge Functions to understand how your web project operates in production, fix errors, and optimize web performance.
Get a deep feature tour from our Observability blog post.

Try Observability

From your project overview, select Logs & metrics > Observability. To expand details for a request, select a request.

Availability

Observability is available for Credit-based plans and Enterprise plans. If you have a Legacy pricing plan, you can get a sneak peek at your observability data by checking out the widget from your Project Overview.

Note that if you have a Credit-based plan or have Observability enabled for an Enterprise plan, then Function Metrics will no longer be available to you as it is replaced by Observability.
If you do not have Observability, then Function Metrics will continue to be available to you.
Learn more in our Function metrics docs.

Other monitoring updates

As part of monitoring updates, we have also updated the names of some of our monitoring features.

Further info

To learn more, check out Observability docs.

Original source Report a problem

The Prerender extension is now generally available (GA)

The Prerender extension is now generally available (GA) for all Netlify users. The legacy prerendering feature is now deprecated with limited support.
Once set up, this extension automatically serves pre-rendered HTML to crawlers, agents, and preview services, while regular site visitors continue to receive your standard JavaScript application.
Prerendering ensures your app’s content is discoverable to AI agents, SEO crawlers, and preview services, such as for social media previews.
Prerendering is designed for apps that use JavaScript to generate page content instead of serving most or all content in HTML, such as for single-page applications (SPAs) built with frameworks like React, Vue, or Angular.
For a deeper dive on prerendering and the new extension, check out our latest blog post.

Does my project need prerendering?

Not sure if your web project needs prerendering?
Find out using our prerendering checker tool and your project URL.

Set up the Prerender extension

To try out the Prerender extension, install it from the Netlify extensions library.
If you have the legacy prerendering feature enabled, disable it in your site’s settings.
Learn more about setting up this extension from our Prerender extension documentation.

Deprecating the legacy prerendering feature

The legacy built-in prerendering feature is now deprecated and will gradually shut down and stop working.
Here is the deprecation timeline:

• January 20, 2026 The feature will be disabled for customers on Free plans (either legacy or credit-based) or the legacy Starter plan.
• February 17, 2026 The feature will be disabled for customers on the Personal plan or the Pro plans (legacy or credit-based)
• March 17, 2026 The feature will be disabled for Enterprise and all other specialized plans.

Note: Some customers on paid plans have a customized setup in which the legacy feature acted as a proxy to external prerendering vendors. Please reach out to Netlify Support for help on your next options.

Original source Report a problem