Next.js and React Server Components Get Urgent Security Fixes for DoS, SSRF, and Auth Bypass Flaws

Vercel has released a major Next.js security update that fixes 13 advisories across denial-of-service, middleware bypass, server-side request forgery, cache poisoning, and cross-site scripting bugs.

The update also includes a fix for an upstream React Server Components vulnerability tracked as CVE-2026-23870. This flaw can let attackers send crafted HTTP requests to Server Function endpoints and trigger excessive CPU usage or out-of-memory conditions.

Developers using affected Next.js and React Server Components versions should upgrade immediately. Vercel says patching is the only complete mitigation for this advisory batch.

What was fixed

The May 2026 Next.js security release affects applications that use the App Router, Pages Router, middleware, proxy logic, WebSocket upgrades, caching layers, Server Functions, Cache Components, and the Image Optimization API.

The most important issues include a React Server Components denial-of-service flaw, several middleware and proxy bypasses, a WebSocket-based SSRF bug, cache poisoning flaws, and XSS issues in specific Next.js configurations.

These vulnerabilities matter because many production Next.js apps use middleware or proxy files for authorization. If those checks fail on alternate request paths, attackers may reach protected data without going through the intended access control.

At a glance

Category	Impact	Severity
React Server Components DoS	Crafted requests can trigger high CPU usage or memory exhaustion	High
Middleware and proxy bypass	Protected routes may become reachable through alternate request paths	High and low
WebSocket SSRF	Self-hosted servers may proxy requests to internal or external targets	High
Cache poisoning	Cached React Server Component responses may serve incorrect content	Moderate and low
Cross-site scripting	Specific App Router and script configurations may expose XSS risk	Moderate

CVE-2026-23870 affects React Server Components

CVE-2026-23870 is a high-severity denial-of-service vulnerability in React Server Components packages. It affects react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.

The flaw can trigger when a server deserializes a specially crafted request sent to a Server Function endpoint. The result can include excessive CPU usage, out-of-memory exceptions, or server crashes.

React lists the affected versions as 19.0.0 through 19.0.5, 19.1.0 through 19.1.6, and 19.2.0 through 19.2.5. Fixed versions are 19.0.6, 19.1.7, and 19.2.6.

Next.js App Router apps are also affected

Next.js apps that use the App Router can be affected because they rely on React Server Components in supported configurations. Vercel says the issue affects Next.js 13.x, 14.x, 15.x, and 16.x App Router deployments through the upstream React Server Components bug.

For Next.js, patched versions are available as 15.5.18 and 16.2.6. Vercel recommends that users on Next.js 13.x and 14.x move to 15.5.18 or 16.2.6.

Teams should also check their lockfiles. A project may still pull vulnerable react-server-dom packages even after a package.json change if dependency versions remain pinned.

Middleware bypass bugs can expose protected content

Several high-severity advisories involve middleware or proxy bypasses. These affect apps that rely on middleware.js or proxy.js to enforce authorization.

One App Router issue lets specially crafted .rsc and segment-prefetch URLs resolve to the same page without matching the intended middleware rule. This can let attackers reach protected content without the expected authorization check.

Another Pages Router issue affects applications with i18n configured. Locale-less /_next/data/<buildId>/<page>.json requests can bypass middleware and expose server-side rendered JSON for protected pages.

WebSocket SSRF affects self-hosted Node.js deployments

The SSRF issue is tracked as CVE-2026-44578. It affects self-hosted Next.js applications that use the built-in Node.js server and handle WebSocket upgrade requests.

An attacker can use crafted WebSocket upgrade requests to make the server proxy requests to arbitrary internal or external destinations. This can expose internal services or cloud metadata endpoints.

Vercel-hosted deployments are not affected by this specific SSRF advisory. The risk mainly applies to self-hosted setups where the origin server can receive untrusted WebSocket upgrade traffic.

Other advisories include XSS, cache poisoning, and DoS bugs

The release also fixes moderate XSS issues in App Router applications using CSP nonces and in beforeInteractive scripts that consume untrusted input.

Vercel also patched cache poisoning issues tied to React Server Component responses and collisions in RSC cache-busting. These bugs matter most when applications have caching layers in front of RSC responses.

The advisory batch also includes a denial-of-service issue in the Image Optimization API and another DoS issue involving connection exhaustion in applications that use Cache Components.

Affected and fixed versions

Package	Affected versions	Fixed version
Next.js 13.x and 14.x	All versions	15.5.18 or 16.2.6
Next.js 15.x	15.5.17 and earlier	15.5.18
Next.js 16.x	16.2.5 and earlier	16.2.6
react-server-dom-* 19.0.x	19.0.5 and earlier	19.0.6
react-server-dom-* 19.1.x	19.1.6 and earlier	19.1.7
react-server-dom-* 19.2.x	19.2.5 and earlier	19.2.6

What developers should do now

Developers should upgrade Next.js and React Server Components packages first. After upgrading, they should rebuild and redeploy affected apps instead of only changing package files.

Teams should also audit authorization logic. Middleware can help protect routes, but sensitive pages and API paths should enforce authorization in the underlying route, page, or server-side data logic as well.

Self-hosted teams should check whether their origin server handles WebSocket upgrades. If WebSockets are not required, administrators can block upgrade requests at the reverse proxy or load balancer until the upgrade is complete.

Recommended checks

• Upgrade Next.js to 15.5.18 or 16.2.6.
• Upgrade react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack to patched versions.
• Review middleware.js and proxy.js authorization rules.
• Move critical authorization checks into route, page, or server-side data logic.
• Block WebSocket upgrades if the app does not need them.
• Restrict origin server egress to prevent access to metadata endpoints and internal services.
• Review CDN and cache rules for React Server Component responses.
• Test protected App Router and Pages Router paths after patching.

Why this update matters

This security release covers several parts of the modern Next.js stack at the same time. It touches routing, middleware, caching, WebSocket handling, image optimization, and React Server Components.

The middleware bypass bugs are especially important for apps that protect dashboards, account pages, admin screens, or paid content through edge checks. A missed transport variant or data route can turn a protected page into an exposed endpoint.

The React Server Components flaw also shows why teams need to keep framework dependencies current. Even if application code does not change, a vulnerable server-side framework package can still create production risk.

Summary

1. Vercel fixed 13 Next.js advisories in its May 2026 security release.
2. CVE-2026-23870 affects React Server Components and can cause denial of service.
3. Next.js middleware and proxy bypass bugs can expose protected content in some apps.
4. CVE-2026-44578 affects self-hosted deployments that handle WebSocket upgrades.
5. Developers should upgrade Next.js, update React Server Components packages, and review authorization logic.

FAQ