Why This Matters
On May 2026, Vercel published a critical security update for Next.js, addressing 13 advisories across multiple attack vectors. If you're running any version of Next.js (App Router or Pages Router), you need to upgrade immediately. The release also includes an upstream fix for React Server Components (tracked as CVE-2026-23870), which can cause denial of service via connection exhaustion.
This isn't just a routine patch — some vulnerabilities allow authorization bypass in middleware and proxy layers, meaning an attacker could access protected routes without proper credentials. Others enable cache poisoning of React Server Component responses, which could serve malicious content to your users.
Bottom line: Patching is the only complete mitigation. WAF rules cannot reliably block these attacks.
Vulnerability Breakdown
1. Middleware & Proxy Bypass (High Severity)
Two separate issues affect applications relying on middleware.js or proxy.js for authorization:
- App Router segment-prefetch bypass — incomplete fix from a previous advisory, now fully patched.
- Pages Router i18n default-locale path bypass — attackers can circumvent proxy authorization by manipulating locale prefixes.
// Example: vulnerable middleware pattern (DO NOT USE)
export function middleware(request) {
const token = request.cookies.get('auth_token');
if (!token) {
// This check could be bypassed via segment-prefetch
return NextResponse.redirect('/login');
}
return NextResponse.next();
}
2. Denial of Service (High & Moderate)
Three DoS vectors were fixed:
- CVE-2026-23870 (High): React Server Components can be exhausted by crafted requests.
- Cache Components DoS (High): Connection exhaustion via Partial Prerendering with Cache Components.
- Image Optimization API DoS (Moderate): Resource exhaustion via malformed image requests.
3. Server-Side Request Forgery (SSRF)
Applications handling WebSocket upgrade requests are vulnerable to SSRF — an attacker could make the server send requests to internal services.
4. Cache Poisoning
If you have a caching layer (e.g., CDN) in front of React Server Component responses, attackers can poison the cache with malicious payloads.
5. Cross-Site Scripting (XSS)
Applications using CSP nonces in App Router, or beforeInteractive scripts consuming untrusted input, are at risk.
Mitigation & Upgrade Path
Fixed Versions
| Package | Fixed Version |
|---|---|
| React (server-dom-*) | 19.0.6, 19.1.7, 19.2.6 |
| Next.js | 14.2.x, 15.x (latest patch) |
Upgrade Commands
# Update React packages
npm install react@19.2.6 react-dom@19.2.6
# Update Next.js
npm install next@latest
# Verify versions
npx next --version
Important Notes
- No WAF rules were deployed for this release — patching is mandatory.
- Frameworks using
react-server-dom-*packages must update through their respective maintainers. - If you use
proxy.jsfor authorization, review your logic after upgrading.
Limitations & Caveats
- The middleware bypass fix may require configuration changes if you relied on the previous (incomplete) behavior.
- Cache poisoning mitigation assumes you have control over your CDN configuration — verify cache invalidation settings.
- SSRF fix only applies to WebSocket upgrade paths; other SSRF vectors in your application are not addressed by this patch.
Next Steps & Learning Path
- Upgrade immediately — run the commands above in all environments.
- Audit your middleware — ensure authorization logic is not affected by the bypass patterns.
- Review CDN caching — if you cache RSC responses, implement proper cache keys and validation.
- Monitor for regressions — test your application thoroughly after upgrade.
For a deeper understanding of modern rendering patterns and security, check out our guide on NVIDIA DLSS 4.5 Deep Dive Next-Gen AI Upscaling, Dynamic Frame Gen, and the Evolving Developer Toolkit and explore how hardware-level optimizations complement software security.