Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
F5 Patches Critical NGINX Vulnerabilities, Preventing Code Execution
July 16, 2026
Critical MacSync Stealer Delivered via Google Ads and Claude AI Chats
July 15, 2026
GPT-5.6 Sol Ultra AI Creates Full Chrome Exploit Chain from Patches
July 15, 2026
Home/CyberSecurity News/Vercel Patches Critical Next.js, React Server Component Vulnerabilities
CyberSecurity News

Vercel Patches Critical Next.js, React Server Component Vulnerabilities

Key Takeaways Vercel has issued multiple security advisories for Next.js and React Server Components, patching over a dozen vulnerabilities. The flaws impact Next.js versions 13.x through 16.x...

Emy Elsamnoudy
Emy Elsamnoudy
May 8, 2026 3 Min Read
53 0

Key Takeaways

  • Vercel has issued multiple security advisories for Next.js and React Server Components, patching over a dozen vulnerabilities.
  • The flaws impact Next.js versions 13.x through 16.x utilizing the App Router, React Server Components packages for versions 19.x, and some Pages Router configurations.
  • Critical vulnerabilities include denial-of-service, server-side request forgery (SSRF), and several authorization bypasses.
  • Immediate upgrades are strongly recommended, with interim mitigations available for those unable to patch immediately.

Vercel Addresses Critical Security Flaws in Next.js and React Server Components

Vercel has released a series of security advisories detailing patches for more than a dozen vulnerabilities across its Next.js framework and React Server Components. These critical flaws encompass a range of attack vectors, including denial-of-service (DoS), middleware bypasses, server-side request forgery (SSRF), and cross-site scripting (XSS) exploits.

Table Of Content

  • Key Takeaways
  • Vercel Addresses Critical Security Flaws in Next.js and React Server Components
  • CVE-2026-23870: Denial of Service via React Server Components
  • Middleware and Proxy Authorization Bypass Vulnerabilities
  • CVE-2026-44578: SSRF via WebSocket Upgrade Requests
  • CVE-2026-44573: Pages Router i18n Middleware Bypass
  • Additional Vulnerabilities Addressed
  • What You Should Do

The vulnerabilities affect various Next.js iterations from versions 13.x through 16.x when deployed with the App Router. Additionally, React Server Components packages for versions 19.x are impacted.

CVE-2026-23870: Denial of Service via React Server Components

A high-severity denial-of-service vulnerability, identified as CVE-2026-23870, poses a significant risk to React Server Components packages (versions 19.x) and all Next.js App Router deployments (versions 13.x, 14.x, 15.x, and 16.x). Attackers can exploit this flaw by sending a specially crafted HTTP request to any App Router Server Function endpoint. Upon deserialization, this malicious request triggers excessive CPU utilization, leading to a denial-of-service condition in unpatched environments.

The root cause lies within the React “Flight” protocol’s deserialization logic, which lacks sufficient enforcement of structural or type constraints on incoming data payloads.

Middleware and Proxy Authorization Bypass Vulnerabilities

Several advisories—GHSA-267c-6grr-h53f, GHSA-26hh-7cqf-hhc6, and GHSA-492v-c6pp-mqqv—address middleware bypass vulnerabilities specifically impacting App Router applications. Attackers can leverage crafted .rsc and segment-prefetch URLs to access protected content without triggering intended middleware rules, thereby circumventing authorization checks.

The implemented fix now incorporates App Router transport variants during the generation of middleware matchers. This ensures that middleware protections are consistently applied to all request types, including prefetch variants, preventing unauthorized access. For developers unable to upgrade immediately, Vercel advises implementing authorization checks directly within the underlying route or page logic, rather than relying solely on middleware.

CVE-2026-44578: SSRF via WebSocket Upgrade Requests

A high-severity server-side request forgery (SSRF) vulnerability, CVE-2026-44578, detailed in GHSA-c4j6-fc7j-m34r, allows attackers to execute SSRF attacks through specially crafted WebSocket upgrade requests. This flaw primarily affects self-hosted Node.js deployments. An adversary can manipulate the server into proxying requests to arbitrary internal or external destinations, potentially exposing sensitive internal services or cloud metadata endpoints, a particularly dangerous scenario in cloud-native environments.

Vercel-hosted deployments are explicitly stated as unaffected by this particular vulnerability. The patch introduces the same safety checks to WebSocket upgrade handling that were already in place for standard HTTP requests.

CVE-2026-44573: Pages Router i18n Middleware Bypass

CVE-2026-44573 (GHSA-36qx-fr4f-26g5) targets applications utilizing the Pages Router configured with i18n alongside middleware-based authorization. This vulnerability permits locale-less /_next/data/<buildId>/<page>.json requests to bypass middleware entirely. Consequently, attackers can retrieve server-side rendered JSON for protected pages without undergoing necessary authorization checks.

The updated matcher logic now ensures consistent matching across both prefixed and unprefixed data routes to mitigate this bypass.

Additional Vulnerabilities Addressed

Beyond these high-severity issues, Vercel also addressed several vulnerabilities categorized as moderate and low severity. These include cross-site scripting (XSS) vulnerabilities in App Router applications using CSP nonces (GHSA-ffhc-5mcf-pf4q) and within beforeInteractive scripts that process untrusted input (GHSA-gx5p-jg67-6x7h). A denial-of-service bug was also fixed in the Image Optimization API (GHSA-h64f-5h5j-jqjh), alongside cache poisoning issues affecting React Server Component responses (GHSA-wfc6-r584-vfw7, GHSA-vfv6-92ff-j949).

Other notable fixes include a connection exhaustion DoS vulnerability in Cache Components (GHSA-mg66-mrh9-m8jx) and cache poisoning affecting middleware redirects (GHSA-3g8h-86w9-wvmq), completing the comprehensive list of advisories.

What You Should Do

  • Upgrade Immediately: Organizations running affected Next.js versions should prioritize upgrading to the latest patched versions as soon as possible.
  • Enforce Authorization: If an immediate upgrade is not feasible, implement authorization checks directly within individual route or page logic, rather than relying solely on middleware for protection.
  • Block WebSocket Upgrades: For the SSRF vulnerability (CVE-2026-44578), consider blocking WebSocket upgrades at the reverse proxy or load balancer level if your application does not require WebSocket functionality.
  • Restrict Server Egress: Implement strict egress filtering to restrict server access to only known and necessary internal networks, mitigating potential damage from SSRF attacks.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEPatchSecurityVulnerability

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Critical Ivanti EPMM CVE-2023-35078 0-Day Actively Exploited

Next Post

Dirty Frag Linux Vulnerability Let Attackers Gain Root Privileges – PoC Released

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
US Charges Two Bulletproof Hosting Firms for Aiding Cybercrime
July 15, 2026
Critical Dell PowerProtect flaws let attackers gain full system access
July 15, 2026
Microsoft Confirms Dell Laptop Overheating, Shutdowns After July Windows Update
July 15, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us