Security Update: Multiple vulnerabilities in Next.js and React
May 8, 2026
The Next.js and React teams have disclosed twelve security vulnerabilities: one in React Server Components and eleven in Next.js, all patched on May 6, 2026, plus a follow-up advisory on May 7. The issues span middleware/proxy bypass, cross-site scripting (XSS), server-side request forgery (SSRF), cache poisoning, and denial of service (DoS). No detailed proof-of-concept information has been published. Here’s what Netlify customers need to know.
Summary
If you run Next.js on Netlify, we strongly recommend upgrading next to 15.5.18 or 16.2.6 and redeploying. This also brings in the patched React Server Components dependency. Projects using Pages Router with i18n and Next.js Middleware / Proxy also need OpenNext Netlify Next.js adapter v5.15.11. If you use react-server-dom-* outside of Next.js, upgrade to 19.0.6 / 19.1.7 / 19.2.6 matching your React minor. See What should I do? for full steps.
Netlify’s platform is not vulnerable to several of these CVEs. Image Optimization, WebSocket SSRF, RSC cache poisoning, and the cache-poisoned-redirect bypass do not affect Netlify projects. See Impact on Netlify for the per-CVE verdict.
Vulnerabilities
React (react-server-dom-*)
This affects react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. The Next.js advisory GHSA-8h8q-6873-q5fj tracks the same issue downstream.
| Vulnerability | Severity | Affected versions | Fixed in |
|---|---|---|---|
| GHSA-rv78-f8rc-xrxh — DoS in Server Components (CVE-2026-23870) | High | 19.0.0–19.0.5, 19.1.0–19.1.6, 19.2.0–19.2.5 | 19.0.6, 19.1.7, 19.2.6 |
Next.js
All Next.js issues are patched in 15.5.18 and 16.2.6. Earlier minors of 15.x and 16.x will not be patched; affected projects must upgrade to a patched minor.
| Vulnerability | Severity | Affected versions |
|---|---|---|
| GHSA-8h8q-6873-q5fj — DoS with Server Components | High | ≥13.0.0 |
| GHSA-267c-6grr-h53f — Middleware / Proxy bypass in App Router via segment-prefetch routes | High | ≥15.2.0 |
GHSA-26hh-7cqf-hhc6 — Follow-up to GHSA-267c-6grr-h53f: incomplete fix for middleware.ts with Turbopack | High | ≥15.2.0 |
| GHSA-mg66-mrh9-m8jx — DoS via connection exhaustion in apps using Cache Components | High | ≥15.0.0 (apps using Cache Components) |
| GHSA-492v-c6pp-mqqv — Middleware / Proxy bypass through dynamic route parameter injection | High | ≥15.4.0 |
| GHSA-c4j6-fc7j-m34r — SSRF in applications using WebSocket upgrades | High | ≥13.4.13 |
| GHSA-36qx-fr4f-26g5 — Middleware / Proxy bypass in Pages Router applications using i18n | High | ≥12.2.0 |
| GHSA-ffhc-5mcf-pf4q — XSS in App Router applications using CSP nonces | Medium | ≥13.4.0 |
GHSA-gx5p-jg67-6x7h — XSS in beforeInteractive scripts with untrusted input | Medium | ≥13.0.0 |
| GHSA-h64f-5h5j-jqjh — DoS in the Image Optimization API | Medium | ≥10.0.0 |
| GHSA-wfc6-r584-vfw7 — Cache poisoning in React Server Component responses | Medium | ≥14.2.0 |
| GHSA-vfv6-92ff-j949 — Cache poisoning via collisions in React Server Component cache-busting | Low | ≥13.4.6 |
| GHSA-3g8h-86w9-wvmq — Middleware / Proxy redirects can be cache-poisoned | Low | ≥12.2.0 |
Impact on Netlify
Denial of service
GHSA-8h8q-6873-q5fj and GHSA-mg66-mrh9-m8jx are server-side denial-of-service (DoS) vulnerabilities. On Netlify, these have minimal impact: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your function costs. Note that Cache Components (GHSA-mg66-mrh9-m8jx) is an opt-in Next.js feature that is not enabled by default. Upgrading Next.js resolves both.
GHSA-h64f-5h5j-jqjh affects the Next.js Image Optimization API. Netlify projects are not affected: this Next.js code path is not used on Netlify — image optimization is handled by Netlify Image CDN, a separate service that runs outside your project’s functions with its own protections against this class of issue.
Middleware / proxy bypass
These four CVEs affect Next.js middleware and proxy routing. Because Netlify runs Next.js middleware via our own edge function adapter, the impact varies per CVE:
- GHSA-3g8h-86w9-wvmq (cache-poisoned redirects): Netlify projects are not affected. Our OpenNext Netlify Next.js adapter already varies cached responses on the
x-nextjs-dataheader. - GHSA-492v-c6pp-mqqv (dynamic route parameter injection): Netlify projects are affected, and the upstream Next.js fix applies. Upgrading Next.js resolves the issue.
- GHSA-36qx-fr4f-26g5 (Pages Router i18n bypass): Netlify projects using Pages Router with i18n and Next.js Middleware / Proxy are affected. The upstream Next.js patch alone does not resolve this on Netlify; a Netlify-specific fix shipped in OpenNext Netlify Next.js adapter v5.15.11. See how to upgrade below.
- GHSA-267c-6grr-h53f (App Router segment-prefetch bypass) and GHSA-26hh-7cqf-hhc6 (follow-up): Netlify projects are affected, and the upstream Next.js fix applies. Upgrading Next.js resolves both.
Cross-site scripting
GHSA-ffhc-5mcf-pf4q and GHSA-gx5p-jg67-6x7h are client-side XSS vulnerabilities. Regardless of hosting provider, all apps using CSP nonces in App Router or passing untrusted input to beforeInteractive scripts may be vulnerable. Upgrade Next.js to remediate.
Server-side request forgery
GHSA-c4j6-fc7j-m34r affects applications using WebSocket upgrades. Netlify projects are not affected: Netlify Functions and Edge Functions do not support WebSocket upgrades, so this Next.js code path cannot be exercised on Netlify.
Cache poisoning
GHSA-wfc6-r584-vfw7 and GHSA-vfv6-92ff-j949 affect React Server Component response caching. Netlify projects are not affected: Netlify’s CDN does not rely on the _rsc cache-busting query parameter (so collisions in it cannot poison cache entries), and it honors Vary on RSC-related request headers.
What should I do?
We strongly recommend upgrading as soon as possible to patched releases:
- Next.js projects: upgrade
nextto 15.5.18 or 16.2.6. This bundles the patched React Server Components dependency, so a separatereact-server-dom-*upgrade is not needed. - Direct
react-server-dom-*users (React Router RSC, Vite RSC plugin, custom RSC setups): upgradereact-server-dom-webpack,react-server-dom-parcel, orreact-server-dom-turbopackto 19.0.6, 19.1.7, or 19.2.6 — matching your React minor.
For Next.js 13.x and 14.x users: patches are not planned for these versions. Consider upgrading to Next.js 15.x or 16.x.
For projects using Pages Router with i18n and Next.js Middleware / Proxy (GHSA-36qx-fr4f-26g5), the upstream Next.js fix does not fully apply on Netlify. The fix ships in OpenNext Netlify Next.js adapter v5.15.11:
- Auto-installed adapter (default): redeploy.
- Manually installed adapter: upgrade
@netlify/plugin-nextjsto v5.15.11 and redeploy. We recommend not pinning the adapter version so future fixes ship automatically.
Note that any publicly available deploy previews and branch deploys may remain vulnerable until they are automatically deleted. Consider deleting these deploys manually.