Vercel has issued critical security updates for Next.js, addressing numerous vulnerabilities that could impact the security and performance of applications. The advisories cover issues such as denial-of-service, middleware bypass, server-side request forgery, and cross-site scripting. These vulnerabilities affect Next.js versions 13.x through 16.x and React Server Components for versions 19.x.
Denial of Service Vulnerability
A significant denial-of-service flaw, identified as CVE-2026-23870, impacts React Server Components in version 19.x and all affected Next.js App Router deployments. This vulnerability can be exploited by sending specifically crafted HTTP requests that lead to excessive CPU usage, causing service disruptions. The root cause lies in the ‘Flight’ protocol’s deserialization logic, which does not enforce necessary constraints on incoming payloads.
Middleware and Proxy Authorization Issues
Several vulnerabilities, including GHSA-267c-6grr-h53f, GHSA-26hh-7cqf-hhc6, and GHSA-492v-c6pp-mqqv, involve middleware bypasses in App Router applications. Crafted URLs can bypass middleware rules, allowing unauthorized access to protected content. The update ensures consistent application of middleware protections across all request types. Until upgrades are feasible, developers should implement authorization within route or page logic.
Server-Side Request Forgery and Other Vulnerabilities
CVE-2026-44578, a high-risk server-side request forgery vulnerability, can be exploited via crafted WebSocket upgrade requests in self-hosted Node.js setups. This flaw enables attackers to manipulate servers into proxying requests to unauthorized destinations. While Vercel-hosted deployments remain unaffected, the fix applies stringent safety checks to WebSocket handling.
Additionally, CVE-2026-44573 affects Pages Router applications with i18n and middleware-based authorization, allowing JSON data retrieval without proper checks. Updates ensure consistent matcher logic across all data routes.
Several moderate and low-severity issues have also been addressed, including cross-site scripting vulnerabilities, cache poisoning, and connection exhaustion denial-of-service flaws. Organizations using impacted Next.js versions should upgrade immediately or apply interim mitigations, such as enhanced route logic authorization and network restriction measures.
As cybersecurity threats evolve, maintaining updated software is crucial for safeguarding applications. By addressing these vulnerabilities, developers can protect their systems from potential attacks and ensure robust security.
