Multiple security vulnerabilities disclosed in React and Next.js, immediate patching recommended.

211.131.***.***
11

https://news.hada.io/topic?id=29283

  • React team and Vercel simultaneously disclosed 12 security vulnerabilities affecting React Server Components and Next.js, strongly recommending immediate application updates.

  • The vulnerabilities include a variety of attack vectors such as Denial-of-Service (DoS), middleware bypass, SSRF, XSS, and cache poisoning, classified into six High severity, four Moderate, and two Low.

  • Patch versions React 19.0.6/19.1.7/19.2.6 and Next.js 15.5.16/16.2.5 are provided, and updates for other React-based server frameworks are also necessary.

  • Some vulnerabilities cannot be blocked by network-level defenses such as WAFs, making application code patching essential.

  • The vulnerabilities span a wide range of Next.js functionalities including Server Components, Pages Router, and Image Optimization API, resulting in a broad impact scope.


Affected Packages and Patch Versions

  • React patch targets: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack — each requiring updates to versions 19.0.6, 19.1.7, and 19.2.6 respectively.

  • Next.js patch targets: 15.5.16 and 16.2.5

  • When using React-based server frameworks such as Vinext, OpenNext, and TanStack Start, update those frameworks to the latest versions as well.

High Severity Vulnerabilities (6)

  • CVE-2026-23870 / GHSA-8h8q-6873-q5fj — Denial-of-Service (DoS) in React Server Components.

    • Affects both React and Next.js.

  • GHSA-267c-6grr-h53f — Middleware bypass through the segment-prefetch route.

  • GHSA-mg66-mrh9-m8jx — Denial-of-Service through connection exhaustion in Cache Components.

  • GHSA-492v-c6pp-mqqv — Middleware bypass through dynamic route parameter injection.

    • Cannot be safely blocked by WAF rules and may disrupt application functionality.

  • GHSA-c4j6-fc7j-m34r — SSRF (Server-Side Request Forgery) through WebSocket upgrade.

    • Cannot be safely blocked by WAF rules.

  • GHSA-36qx-fr4f-26g5 — Middleware bypass in Pages Router i18n.

Moderate Severity Vulnerabilities (4)

  • GHSA-ffhc-5mcf-pf4q — XSS through CSP nonce.

  • GHSA-gx5p-jg67-6x7h — XSS in beforeInteractive scripts.

  • GHSA-h64f-5h5j-jqjh — Denial-of-Service in Image Optimization API.

  • GHSA-wfc6-r584-vfw7 — Cache poisoning in RSC responses.

Low Severity Vulnerabilities (2)

  • GHSA-vfv6-92ff-j949 — Cache poisoning through RSC cache bursting collisions.

  • GHSA-3g8h-86w9-wvmq — Cache poisoning in middleware redirects.

WAF Blockability

  • Only some DoS vulnerabilities can be blocked at the network level (WAF). Existing React Server Component CVE mitigation rules also apply to new DoS vulnerabilities.

  • Many High severity vulnerabilities, including middleware bypass, SSRF, and XSS, cannot be safely blocked by WAFs. Application code patching is the only solution.

  • Custom WAF rules may be possible, but applying global managed rules risks disrupting application functionality.

Framework Adapter Impact

  • Vinext: The architecture differs from basic Next.js and is not vulnerable to the disclosed CVEs.

    • PPR resume protocol not implemented, Pages Router data-route endpoints not exposed, internal headers such as x-nextjs-data removed at request boundary.

    • Additional protection added by requiring React version 19.2.6 or higher when running vinext init.

  • OpenNext: The adapter itself is not directly vulnerable, but users need to update their Next.js versions within the application.

    • A new release with enhanced adapter security has been completed.

▶ Original Source: https://news.hada.io/topic?id=29283

로그인한 회원만 댓글 등록이 가능합니다.

자유게시판

KR | ID | EN
  • IDR
  • KOR
8.36 0.01

2026.07.10 KEB 하나은행 고시회차 964회

다가오는 한인 행사일정

  • 등록 된 일정이 없어요!