Vercel Patches Critical Next.js, React Server Component Vulnerabilities
Key Takeaways Vercel has issued multiple security advisories for Next.js and React Server Components, patching over a dozen vulnerabilities. The flaws impact Next.js versions 13.x through 16.x...
Key Takeaways
- Vercel has issued multiple security advisories for Next.js and React Server Components, patching over a dozen vulnerabilities.
- The flaws impact Next.js versions 13.x through 16.x utilizing the App Router, React Server Components packages for versions 19.x, and some Pages Router configurations.
- Critical vulnerabilities include denial-of-service, server-side request forgery (SSRF), and several authorization bypasses.
- Immediate upgrades are strongly recommended, with interim mitigations available for those unable to patch immediately.
Vercel Addresses Critical Security Flaws in Next.js and React Server Components
Vercel has released a series of security advisories detailing patches for more than a dozen vulnerabilities across its Next.js framework and React Server Components. These critical flaws encompass a range of attack vectors, including denial-of-service (DoS), middleware bypasses, server-side request forgery (SSRF), and cross-site scripting (XSS) exploits.
Table Of Content
- Key Takeaways
- Vercel Addresses Critical Security Flaws in Next.js and React Server Components
- CVE-2026-23870: Denial of Service via React Server Components
- Middleware and Proxy Authorization Bypass Vulnerabilities
- CVE-2026-44578: SSRF via WebSocket Upgrade Requests
- CVE-2026-44573: Pages Router i18n Middleware Bypass
- Additional Vulnerabilities Addressed
- What You Should Do
The vulnerabilities affect various Next.js iterations from versions 13.x through 16.x when deployed with the App Router. Additionally, React Server Components packages for versions 19.x are impacted.
CVE-2026-23870: Denial of Service via React Server Components
A high-severity denial-of-service vulnerability, identified as CVE-2026-23870, poses a significant risk to React Server Components packages (versions 19.x) and all Next.js App Router deployments (versions 13.x, 14.x, 15.x, and 16.x). Attackers can exploit this flaw by sending a specially crafted HTTP request to any App Router Server Function endpoint. Upon deserialization, this malicious request triggers excessive CPU utilization, leading to a denial-of-service condition in unpatched environments.
The root cause lies within the React “Flight” protocol’s deserialization logic, which lacks sufficient enforcement of structural or type constraints on incoming data payloads.
Middleware and Proxy Authorization Bypass Vulnerabilities
Several advisories—GHSA-267c-6grr-h53f, GHSA-26hh-7cqf-hhc6, and GHSA-492v-c6pp-mqqv—address middleware bypass vulnerabilities specifically impacting App Router applications. Attackers can leverage crafted .rsc and segment-prefetch URLs to access protected content without triggering intended middleware rules, thereby circumventing authorization checks.
The implemented fix now incorporates App Router transport variants during the generation of middleware matchers. This ensures that middleware protections are consistently applied to all request types, including prefetch variants, preventing unauthorized access. For developers unable to upgrade immediately, Vercel advises implementing authorization checks directly within the underlying route or page logic, rather than relying solely on middleware.
CVE-2026-44578: SSRF via WebSocket Upgrade Requests
A high-severity server-side request forgery (SSRF) vulnerability, CVE-2026-44578, detailed in GHSA-c4j6-fc7j-m34r, allows attackers to execute SSRF attacks through specially crafted WebSocket upgrade requests. This flaw primarily affects self-hosted Node.js deployments. An adversary can manipulate the server into proxying requests to arbitrary internal or external destinations, potentially exposing sensitive internal services or cloud metadata endpoints, a particularly dangerous scenario in cloud-native environments.
Vercel-hosted deployments are explicitly stated as unaffected by this particular vulnerability. The patch introduces the same safety checks to WebSocket upgrade handling that were already in place for standard HTTP requests.
CVE-2026-44573: Pages Router i18n Middleware Bypass
CVE-2026-44573 (GHSA-36qx-fr4f-26g5) targets applications utilizing the Pages Router configured with i18n alongside middleware-based authorization. This vulnerability permits locale-less /_next/data/<buildId>/<page>.json requests to bypass middleware entirely. Consequently, attackers can retrieve server-side rendered JSON for protected pages without undergoing necessary authorization checks.
The updated matcher logic now ensures consistent matching across both prefixed and unprefixed data routes to mitigate this bypass.
Additional Vulnerabilities Addressed
Beyond these high-severity issues, Vercel also addressed several vulnerabilities categorized as moderate and low severity. These include cross-site scripting (XSS) vulnerabilities in App Router applications using CSP nonces (GHSA-ffhc-5mcf-pf4q) and within beforeInteractive scripts that process untrusted input (GHSA-gx5p-jg67-6x7h). A denial-of-service bug was also fixed in the Image Optimization API (GHSA-h64f-5h5j-jqjh), alongside cache poisoning issues affecting React Server Component responses (GHSA-wfc6-r584-vfw7, GHSA-vfv6-92ff-j949).
Other notable fixes include a connection exhaustion DoS vulnerability in Cache Components (GHSA-mg66-mrh9-m8jx) and cache poisoning affecting middleware redirects (GHSA-3g8h-86w9-wvmq), completing the comprehensive list of advisories.
What You Should Do
- Upgrade Immediately: Organizations running affected Next.js versions should prioritize upgrading to the latest patched versions as soon as possible.
- Enforce Authorization: If an immediate upgrade is not feasible, implement authorization checks directly within individual route or page logic, rather than relying solely on middleware for protection.
- Block WebSocket Upgrades: For the SSRF vulnerability (CVE-2026-44578), consider blocking WebSocket upgrades at the reverse proxy or load balancer level if your application does not require WebSocket functionality.
- Restrict Server Egress: Implement strict egress filtering to restrict server access to only known and necessary internal networks, mitigating potential damage from SSRF attacks.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.