Summary
We have shipped a coordinated security release for Next.js addressing 13 advisories across denial of service, middleware and proxy bypass, server-side request forgery, cache poisoning, and cross-site scripting. One advisory addresses an upstream React Server Components vulnerability tracked as CVE-2026-23870.
Recommended actions
Patched versions are available for both React and Next.js, and all affected users should upgrade immediately.
Impact
The release addresses the following advisories:
Middleware and proxy bypass
Affects applications that rely on
middleware.js or proxy.js for authorization.
High: Auth bypass via App Router segment-prefetch URL
High: App Router segment-prefetch bypass, incomplete fix follow-up
High: Pages Router i18n default-locale path bypasses proxy authorization
High: Bypass via dynamic route parameter injection
Low: Middleware redirects can be cache-poisoned
Denial of service
Affects applications using Server Functions, Partial Prerendering with Cache Components, or the Image Optimization API.
High: DoS in React Server Components (tracked upstream as CVE-2026-23870)
High: DoS via connection exhaustion in applications using Cache Components
Moderate: DoS via the Image Optimization API
Server-side request forgery
Affects applications that handle WebSocket upgrade requests.
Cache poisoning
Affects applications with caching layers in front of React Server Component responses.
Moderate: Cache poisoning in React Server Component responses
Low: Cache poisoning via collisions in RSC cache-busting
Cross-site scripting
Affects applications using CSP nonces in App Router, or
beforeInteractive scripts that consume untrusted input.
Moderate: XSS in App Router applications using CSP nonces
Moderate: XSS in beforeInteractive scripts with untrusted input
Resolution
These vulnerabilities are addressed by the patched releases of React and Next.js. Patching is the only complete mitigation, and all affected users should upgrade immediately.
Vercel has not deployed new WAF rules for this release; these advisories cannot be reliably blocked at the WAF layer.
Affected versions
Package | Affected | Upgrade to |
|---|---|---|
Next.js 13.x, 14.x | all versions | 15.5.18 or 16.2.6 |
Next.js 15.x | <=15.5.17 | 15.5.18 |
Next.js 16.x | <=16.2.5 | 16.2.6 |
react-server-dom-* 19.0.x | <=19.0.5 | 19.0.6 |
react-server-dom-* 19.1.x | <=19.1.6 | 19.1.7 |
react-server-dom-* 19.2.x | <=19.2.5 | 19.2.6 |
Fixed in
Next.js:15.5.18,16.2.6
React:19.0.6,19.1.7,19.2.6for thereact-server-dom-parcel,react-server-dom-webpackandreact-server-dom-turbopackpackages
Frameworks and bundlers using
react-server-dom-* packages should install the latest versions provided by their respective maintainers.References
Read more
Continue reading...