The flaws affect Next.js versions 13.x through 16.x using the App Router, as well as React Server Components packages for versions 19.x.
A high-severity denial-of-service vulnerability tracked as CVE-2026-23870 affects React Server Components packages for versions 19.x and all Next.js App Router deployments on versions 13.x, 14.x, 15.x, and 16.x.
A specially crafted HTTP request sent to any App Router Server Function endpoint, when deserialized, can trigger excessive CPU usage, resulting in denial-of-service attacks in unpatched environments.
The issue is rooted in the React “Flight” protocol’s deserialization logic, which fails to adequately enforce structural or type constraints on inbound payloads.
Three separate advisories GHSA-267c-6grr-h53f, GHSA-26hh-7cqf-hhc6, and GHSA-492v-c6pp-mqqv address middleware bypass vulnerabilities in App Router applications.
Specially crafted .rsc and segment-prefetch URLs can resolve to the same page without being matched by intended middleware rules, allowing protected content to be accessed without proper authorization checks.
The fix now includes App Router transport variants when generating middleware matchers, ensuring middleware protections apply consistently to all request types, including prefetch variants.
Until an upgrade is possible, developers should enforce authorization directly in the underlying route or page logic rather than relying solely on middleware.
Tracked as CVE-2026-44578 and covered under GHSA-c4j6-fc7j-m34r, this high-severity flaw enables server-side request forgery through crafted WebSocket upgrade requests on self-hosted Node.js deployments.
An attacker can manipulate the server into proxying requests to arbitrary internal or external destinations, potentially exposing internal services or cloud metadata endpoints, a particularly dangerous scenario in cloud-native environments.
Vercel-hosted deployments are explicitly noted as unaffected. The fix applies the same safety checks to WebSocket upgrade handling that already existed for standard HTTP requests.
CVE-2026-44573 (GHSA-36qx-fr4f-26g5) affects applications using the Pages Router with i18n configured alongside middleware-based authorization.
Locale-less /_next/data/<buildId>/<page>.json requests bypass middleware entirely, enabling attackers to retrieve server-side rendered JSON for protected pages without passing authorization checks.
The matcher logic has been updated to apply consistent matching across both prefixed and unprefixed data routes.
Beyond the high-severity flaws, Vercel also patched several moderate and low-severity issues.
These include cross-site scripting vulnerabilities in App Router applications using CSP nonces (GHSA-ffhc-5mcf-pf4q) and in beforeInteractive scripts with untrusted input (GHSA-gx5p-jg67-6x7h), a denial-of-service bug in the Image Optimization API (GHSA-h64f-5h5j-jqjh), and cache poisoning issues in React Server Component responses (GHSA-wfc6-r584-vfw7, GHSA-vfv6-92ff-j949).
A connection exhaustion DoS in Cache Components (GHSA-mg66-mrh9-m8jx) and cache poisoning of middleware redirects (GHSA-3g8h-86w9-wvmq) round out the advisory list.
Organizations running affected Next.js versions should prioritize upgrading immediately.
For teams unable to upgrade right away, the recommended interim mitigations include enforcing authorization within individual route or page logic rather than relying on middleware alone, blocking WebSocket upgrades at the reverse proxy or load balancer level, and restricting server egress to known internal networks.
Cybercriminals now enter through your suppliers instead of your front door – Free Webinar
The post Multiple Critical Vulnerabilities Patched in Next.js and React Server Components appeared first on Cyber Security News.
Xbox seems to have rebranded…to XBOX. You'd be forgiven for not noticing the difference, but…
Upcoming action movie prequel John Rambo has reportedly added James Franco to its cast. Details…
In the Grey is now playing in theaters. Jake Gyllenhaal and Henry Cavill met in…
At SIM 2026 in Porto, João Rui Ferreira, Secretary of State for the Economy, announced the…
This website uses cookies.