The Next.js and React teams have disclosed twelve security vulnerabilities: one in React Server Components and eleven in Next.js, all patched on May 6, 2026, plus a follow-up advisory on May 7. The issues span middleware/proxy bypass, cross-site scripting (XSS), server-side request forgery (SSRF), cache poisoning, and denial of service (DoS). No detailed proof-of-concept information has been published. Here's what Netlify customers need to know. Summary If you run Next.js on Netlify, we strongly recommend upgrading next to 15.5.18 or 16.2.6 and redeploying. This also brings in the patched React Server Components dependency. Projects using Pages Router with i18n and Next.js Middleware / Proxy also need OpenNext Netlify Next.js adapter v5.15.11. If you use react-server-dom-* outside of Next.js, upgrade to 19.0.6 / 19.1.7 / 19.2.6 matching your React minor. See What should I do? for full steps. Netlify's platform is not vulnerable to several of these CVEs. Image Optimization, WebSocket SSRF, RSC cache poisoning, and the cache-poisoned-redirect bypass do not affect Netlify projects. See Impact on Netlify for the per-CVE verdict. Vulnerabilities React (react-server-dom-*) This affects react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. The Next.js advisory GHSA-8h8q-6873-q5fj tracks the same issue downstream. Vulnerability: GHSA-rv78-f8rc-xrxh — DoS in Server Components (CVE-2026-23870 ) Severity: High Affected versions: 19.0.0–19.0.5, 19.1.0–19.1.6, 19.2.0–19.2.5 Fixed in: 19.0.6, 19.1.7, 19.2.6 Next.js All Next.js issues are patched in 15.5.18 and 16.2.6. Earlier minors of 15.x and 16.x will not be patched; affected projects must upgrade to a patched minor. Vulnerability: GHSA-8h8q-6873-q5fj — DoS with Server Components Severity: High Affected versions: ≥13.0.0 Vulnerability: GHSA-267c-6grr-h53f — Middleware / Proxy bypass in App Router via segment-prefetch routes Severity: High Affected versions: ≥15.2.0 Vulnerability: GHSA-26hh-7cqf-hhc6 — Follow-up to GHSA-267c-6grr-h53f : incomplete fix for middleware.ts with Turbopack Severity: High Affected versions: ≥15.2.0 Vulnerability: GHSA-mg66-mrh9-m8jx — DoS via connection exhaustion in apps using Cache Components Severity: High Affected versions: ≥15.0.0 (apps using Cache Components) Vulnerability: GHSA-492v-c6pp-mqqv — Middleware / Proxy bypass through dynamic route parameter injection Severity: High Affected versions: ≥15.4.0 Vulnerability: GHSA-c4j6-fc7j-m34r — SSRF in applications using WebSocket upgrades Severity: High Affected versions: ≥13.4.13 Vulnerability: GHSA-36qx-fr4f-26g5 — Middleware / Proxy bypass in Pages Router applications using i18n Severity: High Affected versions: ≥12.2.0 Vulnerability: GHSA-ffhc-5mcf-pf4q — XSS in App Router applications using CSP nonces Severity: Medium Affected versions: ≥13.4.0 Vulnerability: GHSA-gx5p-jg67-6x7h — XSS in beforeInteractive scripts with untrusted input Severity: Medium Affected versions: ≥13.0.0 Vulnerability: GHSA-h64f-5h5j-jqjh — DoS in the Image Optimization API Severity: Medium Affected versions: ≥10.0.0 Vulnerability: GHSA-wfc6-r584-vfw7 — Cache poisoning in React Server Component responses Severity: Medium Affected versions: ≥14.2.0 Vulnerability: GHSA-vfv6-92ff-j949 — Cache poisoning via collisions in React Server Component cache-busting Severity: Low Affected versions: ≥13.4.6 Vulnerability: GHSA-3g8h-86w9-wvmq — Middleware / Proxy redirects can be cache-poisoned Severity: Low Affected versions: ≥12.2.0 Impact on Netlify Denial of service GHSA-8h8q-6873-q5fj and GHSA-mg66-mrh9-m8jx are server-side denial-of-service (DoS) vulnerabilities. On Netlify, these have minimal impact: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your function costs. Note that Cache Components (GHSA-mg66-mrh9-m8jx) is an opt-in Next.js feature that is not enabled by default. Upgrading Next.js resolves both. GHSA-h64f-5h5j-jqjh affects the Next.js Image Optimization API. Netlify projects are not affected: this Next.js code path is not used on Netlify — image optimization is handled by Netlify Image CDN, a separate service that runs outside your project's functions with its own protections against this class of issue. Middleware / proxy bypass These four CVEs affect Next.js middleware and proxy routing. Because Netlify runs Next.js middleware via our own edge function adapter, the impact varies per CVE:
Continue reading...
- GHSA-3g8h-86w9-wvmq (cache-poisoned redirects): Netlify projects are not affected. Our OpenNext Netlify Next.js adapter already varies cached responses on the x-nextjs-data header.
- GHSA-492v-c6pp-mqqv (dynamic route parameter injection): Netlify projects are affected, and the upstream Next.js fix applies. Upgrading Next.js resolves the issue.
- GHSA-36qx-fr4f-26g5 (Pages Router i18n bypass): Netlify projects using Pages Router with i18n and Next.js Middleware / Proxy are affected. The upstream Next.js patch alone does not resolve this on Netlify; a Netlify-specific fix shipped in OpenNext Netlify Next.js adapter v5.15.11 . See how to upgrade below.
- GHSA-267c-6grr-h53f (App Router segment-prefetch bypass) and GHSA-26hh-7cqf-hhc6 (follow-up): Netlify projects are affected, and the upstream Next.js fix applies. Upgrading Next.js resolves both.
- Next.js projects: upgrade next to 15.5.18 or 16.2.6. This bundles the patched React Server Components dependency, so a separate react-server-dom-* upgrade is not needed.
- Direct react-server-dom-* users (React Router RSC, Vite RSC plugin, custom RSC setups): upgrade react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack to 19.0.6, 19.1.7, or 19.2.6 — matching your React minor.
- Auto-installed adapter (default): redeploy.
- Manually installed adapter: upgrade @netlify/plugin-nextjs to v5.15.11 and redeploy. We recommend not pinning the adapter version so future fixes ship automatically.
- React security advisory (GHSA-rv78-f8rc-xrxh)
- CVE-2026-23870
- Next.js security advisories
Continue reading...