Vercel has released a sweeping set of security advisories for Next.js, addressing more than a dozen vulnerabilities spanning denial-of-service, middleware bypass, server-side request forgery (SSRF), and cross-site scripting (XSS). The flaws affect Next.js versions 13.x through 16.x using the App Router, as well as React Server Components packages for versions 19.x. Organizations running these widely used frameworks should prioritize patching immediately.
CVE-2026-23870: Denial of Service via React Server Components
A high-severity denial-of-service vulnerability tracked as CVE-2026-23870 affects React Server Components packages for versions 19.x and all Next.js App Router deployments on versions 13.x, 14.x, 15.x, and 16.x. A specially crafted HTTP request sent to any App Router Server Function endpoint, when deserialized, can trigger excessive CPU usage, causing denial-of-service conditions in unpatched environments.
The root cause lies in the React “Flight” protocol’s deserialization logic, which fails to adequately enforce structural or type constraints on inbound payloads. Attackers can exploit this without authentication, making it particularly dangerous for publicly accessible applications.
Middleware and Proxy Authorization Bypass Flaws
Three separate advisories — GHSA-267c-6grr-h53f, GHSA-26hh-7cqf-hhc6, and GHSA-492v-c6pp-mqqv — address middleware bypass vulnerabilities in App Router applications. Specially crafted .rsc and segment-prefetch URLs can resolve to protected pages without triggering intended middleware rules, allowing attackers to access protected content without passing authorization checks.
The fix now ensures that App Router transport variants are included when generating middleware matchers, so middleware protections apply consistently to all request types, including prefetch variants. Until an upgrade is possible, developers should enforce authorization directly in the underlying route or page logic rather than relying solely on middleware.
CVE-2026-44578: SSRF via WebSocket Upgrade Requests
Tracked as CVE-2026-44578, this high-severity flaw enables server-side request forgery through crafted WebSocket upgrade requests on self-hosted Node.js deployments. An attacker can manipulate the server into proxying requests to arbitrary internal or external destinations, potentially exposing internal services or cloud metadata endpoints — a particularly dangerous scenario in cloud-native environments.
- Vercel-hosted deployments are explicitly noted as not affected
- The fix applies the same safety checks to WebSocket upgrade handling that already existed for standard HTTP requests
- Self-hosted Node.js deployments running affected versions should upgrade immediately
CVE-2026-44573: Pages Router i18n Middleware Bypass
CVE-2026-44573 affects applications using the Pages Router with i18n configured alongside middleware-based authorization. Locale-less /_next/data/<buildId>/<page>.json requests bypass middleware entirely, enabling attackers to retrieve server-side rendered JSON for protected pages without passing authorization checks. The matcher logic has been updated to apply consistent matching across both prefixed and unprefixed data routes.
Additional Moderate and Low Severity Issues
Beyond the high-severity flaws, Vercel also patched several moderate and low-severity issues:
- XSS in App Router applications using CSP nonces (GHSA-ffhc-5mcf-pf4q)
- XSS in
beforeInteractivescripts with untrusted input (GHSA-gx5p-jg67-6x7h) - DoS in the Image Optimization API (GHSA-h64f-5h5j-jqjh)
- Cache poisoning in React Server Component responses (GHSA-wfc6-r584-vfw7, GHSA-vfv6-92ff-j949)
- Connection exhaustion DoS in Cache Components (GHSA-mg66-mrh9-m8jx)
- Cache poisoning of middleware redirects (GHSA-3g8h-86w9-wvmq)
Recommended Mitigations
Organizations running affected Next.js versions should prioritize upgrading immediately. For teams unable to upgrade right away, recommended interim mitigations include:
- Enforce authorization within individual route or page logic rather than relying on middleware alone
- Block WebSocket upgrades at the reverse proxy or load balancer level
- Restrict server egress to known internal networks
- Review all App Router endpoints for direct exposure to untrusted input
Given the breadth of this advisory — covering more than a dozen distinct vulnerabilities including critical SSRF and DoS vectors — this release represents one of the most significant security updates in Next.js history. Development teams using the App Router pattern should treat this as an urgent remediation priority.