Yesterday's Top Poster

Security Update: Multiple vulnerabilities in Next.js and React

  • Thread starter Thread starter Netlify
  • Start date Start date
The Next.js and React teams have disclosed twelve security vulnerabilities: one in React Server Components and eleven in Next.js, all patched on May 6, 2026, plus a follow-up advisory on May 7. The issues span middleware/proxy bypass, cross-site scripting (XSS), server-side request forgery (SSRF), cache poisoning, and denial of service (DoS). No detailed proof-of-concept information has been published. Here's what Netlify customers need to know. Summary If you run Next.js on Netlify, we strongly recommend upgrading next to 15.5.18 or 16.2.6 and redeploying. This also brings in the patched React Server Components dependency. Projects using Pages Router with i18n and Next.js Middleware / Proxy also need OpenNext Netlify Next.js adapter v5.15.11. If you use react-server-dom-* outside of Next.js, upgrade to 19.0.6 / 19.1.7 / 19.2.6 matching your React minor. See What should I do? for full steps. Netlify's platform is not vulnerable to several of these CVEs. Image Optimization, WebSocket SSRF, RSC cache poisoning, and the cache-poisoned-redirect bypass do not affect Netlify projects. See Impact on Netlify for the per-CVE verdict. Vulnerabilities React (react-server-dom-*) This affects react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. The Next.js advisory GHSA-8h8q-6873-q5fj tracks the same issue downstream. Vulnerability: GHSA-rv78-f8rc-xrxh — DoS in Server Components (CVE-2026-23870 ) Severity: High Affected versions: 19.0.0–19.0.5, 19.1.0–19.1.6, 19.2.0–19.2.5 Fixed in: 19.0.6, 19.1.7, 19.2.6 Next.js All Next.js issues are patched in 15.5.18 and 16.2.6. Earlier minors of 15.x and 16.x will not be patched; affected projects must upgrade to a patched minor. Vulnerability: GHSA-8h8q-6873-q5fj — DoS with Server Components Severity: High Affected versions: ≥13.0.0 Vulnerability: GHSA-267c-6grr-h53f — Middleware / Proxy bypass in App Router via segment-prefetch routes Severity: High Affected versions: ≥15.2.0 Vulnerability: GHSA-26hh-7cqf-hhc6 — Follow-up to GHSA-267c-6grr-h53f : incomplete fix for middleware.ts with Turbopack Severity: High Affected versions: ≥15.2.0 Vulnerability: GHSA-mg66-mrh9-m8jx — DoS via connection exhaustion in apps using Cache Components Severity: High Affected versions: ≥15.0.0 (apps using Cache Components) Vulnerability: GHSA-492v-c6pp-mqqv — Middleware / Proxy bypass through dynamic route parameter injection Severity: High Affected versions: ≥15.4.0 Vulnerability: GHSA-c4j6-fc7j-m34r — SSRF in applications using WebSocket upgrades Severity: High Affected versions: ≥13.4.13 Vulnerability: GHSA-36qx-fr4f-26g5 — Middleware / Proxy bypass in Pages Router applications using i18n Severity: High Affected versions: ≥12.2.0 Vulnerability: GHSA-ffhc-5mcf-pf4q — XSS in App Router applications using CSP nonces Severity: Medium Affected versions: ≥13.4.0 Vulnerability: GHSA-gx5p-jg67-6x7h — XSS in beforeInteractive scripts with untrusted input Severity: Medium Affected versions: ≥13.0.0 Vulnerability: GHSA-h64f-5h5j-jqjh — DoS in the Image Optimization API Severity: Medium Affected versions: ≥10.0.0 Vulnerability: GHSA-wfc6-r584-vfw7 — Cache poisoning in React Server Component responses Severity: Medium Affected versions: ≥14.2.0 Vulnerability: GHSA-vfv6-92ff-j949 — Cache poisoning via collisions in React Server Component cache-busting Severity: Low Affected versions: ≥13.4.6 Vulnerability: GHSA-3g8h-86w9-wvmq — Middleware / Proxy redirects can be cache-poisoned Severity: Low Affected versions: ≥12.2.0 Impact on Netlify Denial of service GHSA-8h8q-6873-q5fj and GHSA-mg66-mrh9-m8jx are server-side denial-of-service (DoS) vulnerabilities. On Netlify, these have minimal impact: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your function costs. Note that Cache Components (GHSA-mg66-mrh9-m8jx) is an opt-in Next.js feature that is not enabled by default. Upgrading Next.js resolves both. GHSA-h64f-5h5j-jqjh affects the Next.js Image Optimization API. Netlify projects are not affected: this Next.js code path is not used on Netlify — image optimization is handled by Netlify Image CDN, a separate service that runs outside your project's functions with its own protections against this class of issue. Middleware / proxy bypass These four CVEs affect Next.js middleware and proxy routing. Because Netlify runs Next.js middleware via our own edge function adapter, the impact varies per CVE:
  • GHSA-3g8h-86w9-wvmq (cache-poisoned redirects): Netlify projects are not affected. Our OpenNext Netlify Next.js adapter already varies cached responses on the x-nextjs-data header.
  • GHSA-492v-c6pp-mqqv (dynamic route parameter injection): Netlify projects are affected, and the upstream Next.js fix applies. Upgrading Next.js resolves the issue.
  • GHSA-36qx-fr4f-26g5 (Pages Router i18n bypass): Netlify projects using Pages Router with i18n and Next.js Middleware / Proxy are affected. The upstream Next.js patch alone does not resolve this on Netlify; a Netlify-specific fix shipped in OpenNext Netlify Next.js adapter v5.15.11 . See how to upgrade below.
  • GHSA-267c-6grr-h53f (App Router segment-prefetch bypass) and GHSA-26hh-7cqf-hhc6 (follow-up): Netlify projects are affected, and the upstream Next.js fix applies. Upgrading Next.js resolves both.
Cross-site scripting GHSA-ffhc-5mcf-pf4q and GHSA-gx5p-jg67-6x7h are client-side XSS vulnerabilities. Regardless of hosting provider, all apps using CSP nonces in App Router or passing untrusted input to beforeInteractive scripts may be vulnerable. Upgrade Next.js to remediate. Server-side request forgery GHSA-c4j6-fc7j-m34r affects applications using WebSocket upgrades. Netlify projects are not affected: Netlify Functions and Edge Functions do not support WebSocket upgrades, so this Next.js code path cannot be exercised on Netlify. Cache poisoning GHSA-wfc6-r584-vfw7 and GHSA-vfv6-92ff-j949 affect React Server Component response caching. Netlify projects are not affected: Netlify's CDN does not rely on the _rsc cache-busting query parameter (so collisions in it cannot poison cache entries), and it honors Vary on RSC-related request headers. What should I do? We strongly recommend upgrading as soon as possible to patched releases:
  • Next.js projects: upgrade next to 15.5.18 or 16.2.6. This bundles the patched React Server Components dependency, so a separate react-server-dom-* upgrade is not needed.
  • Direct react-server-dom-* users (React Router RSC, Vite RSC plugin, custom RSC setups): upgrade react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack to 19.0.6, 19.1.7, or 19.2.6 — matching your React minor.
For Next.js 13.x and 14.x users: patches are not planned for these versions. Consider upgrading to Next.js 15.x or 16.x. For projects using Pages Router with i18n and Next.js Middleware / Proxy (GHSA-36qx-fr4f-26g5), the upstream Next.js fix does not fully apply on Netlify. The fix ships in OpenNext Netlify Next.js adapter v5.15.11:
  • Auto-installed adapter (default): redeploy.
  • Manually installed adapter: upgrade @netlify/plugin-nextjs to v5.15.11 and redeploy. We recommend not pinning the adapter version so future fixes ship automatically.
Note that any publicly available deploy previews and branch deploys may remain vulnerable until they are automatically deleted. Consider deleting these deploys manually. Resources
  • React security advisory (GHSA-rv78-f8rc-xrxh)
  • CVE-2026-23870
  • Next.js security advisories

Continue reading...
 
Back
Top