Vercel and the React team have disclosed a sweeping set of security vulnerabilities affecting React Server Components packages and Next.js versions 13.x through 16.x, urging developers to upgrade immediately across the ecosystem.
The flaws span denial-of-service, server-side request forgery, middleware bypass, cross-site scripting, and cache poisoning, with several rated High severity.
Patched versions are now available for React (react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack 19.0.6, 19.1.7, and 19.2.6) and Next.js (15.5.16 and 16.2.5).
Critical Denial-of-Service Flaw Targets App Router
The most severe flaw, CVE-2026-23870 (GHSA-8h8q-6873-q5fj), targets React Server Components packages for versions 19.x and all Next.js App Router deployments.
A specially crafted HTTP request sent to any App Router Server Function endpoint triggers excessive CPU usage during deserialization, resulting in a denial-of-service condition that can bring down unpatched servers entirely.
Cloudflare confirmed that existing WAF rules originally deployed for prior React DoS CVEs, CVE-2025-55184 and CVE-2026-23864, already provide generic coverage for this new vulnerability and are enabled by default with a Block action for all customers, including Free plan users.
Middleware Bypass Flaws Exposed
Three high-severity advisories address critical middleware bypass vulnerabilities. GHSA-267c-6grr-h53f and its follow-up GHSA-26hh-7cqf-hhc6 reveal that specially crafted .rsc and segment-prefetch URLs in App Router applications can bypass intended middleware authorization rules entirely, allowing attackers to access protected content without authentication.
A separate advisory, GHSA-492v-c6pp-mqqv, discloses a middleware bypass via dynamic route parameter injection.
For Pages Router users with i18n configurations, CVE-2026-44573 (GHSA-36qx-fr4f-26g5) exposes how locale-less /_next/data/<buildId>/<page>.json requests skip middleware execution, leaking server-side rendered JSON for protected pages.
The fix updates the middleware matcher logic to apply protections consistently across all transport variants and route types.
SSRF Via WebSocket Upgrade Requests
Self-hosted applications using the built-in Node.js server are vulnerable to server-side request forgery through crafted WebSocket upgrade requests, tracked as CVE-2026-44578 (GHSA-c4j6-fc7j-m34r).
An attacker can manipulate the server into proxying requests to arbitrary internal or external destinations, potentially exposing internal services or cloud metadata endpoints such as AWS instance metadata APIs.
Vercel-hosted deployments are not affected, but Cloudflare confirmed that no managed WAF rule can safely mitigate this flaw without breaking application behavior, making immediate patching the only reliable fix.
Cache Poisoning and XSS Vulnerabilities Patched
The update also resolves several moderate and low-severity issues. GHSA-wfc6-r584-vfw7 covers cache poisoning in React Server Component responses, while GHSA-vfv6-92ff-j949 addresses cache-busting collision attack,s enabling cache poisoning at a lower severity level.
Two cross-site scripting vulnerabilities were also patched: GHSA-ffhc-5mcf-pf4q affects App Router applications using CSP nonces, and GHSA-gx5p-jg67-6x7h targets pre-interactive scripts with untrusted input.
An additional denial-of-service in the Image Optimization API (GHSA-h64f-5h5j-jqjh) rounds out the moderate-severity fixes, as vercel stated on GitHub.
Mitigation
Developers should immediately upgrade Next.js to version 15.5.16 or 16.2.5, and the React Server Components packages to 19.0.6, 19.1.7, or 19.2.6.
Users of third-party adapters such as OpenNext and TanStack Start should also update to their latest releases.
For teams unable to upgrade right away, Vercel recommends moving authorization logic into server-side data paths and route handlers rather than relying solely on middleware, and blocking WebSocket upgrades at the load balancer level where not required.
No Comment! Be the first one.