https://news.hada.io/topic?id=29283
React team and Vercel simultaneously disclosed 12 security vulnerabilities affecting React Server Components and Next.js, strongly recommending immediate application updates.
The vulnerabilities include a variety of attack vectors such as Denial-of-Service (DoS), middleware bypass, SSRF, XSS, and cache poisoning, classified into six High severity, four Moderate, and two Low.
Patch versions React 19.0.6/19.1.7/19.2.6 and Next.js 15.5.16/16.2.5 are provided, and updates for other React-based server frameworks are also necessary.
Some vulnerabilities cannot be blocked by network-level defenses such as WAFs, making application code patching essential.
The vulnerabilities span a wide range of Next.js functionalities including Server Components, Pages Router, and Image Optimization API, resulting in a broad impact scope.
Affected Packages and Patch Versions
React patch targets: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack — each requiring updates to versions 19.0.6, 19.1.7, and 19.2.6 respectively.
Next.js patch targets: 15.5.16 and 16.2.5
When using React-based server frameworks such as Vinext, OpenNext, and TanStack Start, update those frameworks to the latest versions as well.
High Severity Vulnerabilities (6)
CVE-2026-23870 / GHSA-8h8q-6873-q5fj — Denial-of-Service (DoS) in React Server Components.
GHSA-267c-6grr-h53f — Middleware bypass through the segment-prefetch route.
GHSA-mg66-mrh9-m8jx — Denial-of-Service through connection exhaustion in Cache Components.
GHSA-492v-c6pp-mqqv — Middleware bypass through dynamic route parameter injection.
GHSA-c4j6-fc7j-m34r — SSRF (Server-Side Request Forgery) through WebSocket upgrade.
GHSA-36qx-fr4f-26g5 — Middleware bypass in Pages Router i18n.
Moderate Severity Vulnerabilities (4)
GHSA-ffhc-5mcf-pf4q — XSS through CSP nonce.
GHSA-gx5p-jg67-6x7h — XSS in beforeInteractive scripts.
GHSA-h64f-5h5j-jqjh — Denial-of-Service in Image Optimization API.
GHSA-wfc6-r584-vfw7 — Cache poisoning in RSC responses.
Low Severity Vulnerabilities (2)
WAF Blockability
Only some DoS vulnerabilities can be blocked at the network level (WAF). Existing React Server Component CVE mitigation rules also apply to new DoS vulnerabilities.
Many High severity vulnerabilities, including middleware bypass, SSRF, and XSS, cannot be safely blocked by WAFs. Application code patching is the only solution.
Custom WAF rules may be possible, but applying global managed rules risks disrupting application functionality.
Framework Adapter Impact
Vinext: The architecture differs from basic Next.js and is not vulnerable to the disclosed CVEs.
PPR resume protocol not implemented, Pages Router data-route endpoints not exposed, internal headers such as x-nextjs-data removed at request boundary.
Additional protection added by requiring React version 19.2.6 or higher when running vinext init.
OpenNext: The adapter itself is not directly vulnerable, but users need to update their Next.js versions within the application.
▶ Original Source: https://news.hada.io/topic?id=29283