12 High‑Severity CVEs Simultaneously Disclosed Across All Next.js/React Versions

Timeline

May 7 2026 Vercel core maintainer Tim Neutkens announced security patches for Next.js 15.5.16 and 16.2.5, covering branches 13.x through 16.x via a GitHub security advisory series (GHSA‑8h8q‑6873‑q5fj … GHSA‑3g8h‑86w9‑wvmq). May 8 2026 researcher dwisiswant0 published the GitHub repository next-16.2.4-pocs (https://github.com/dwisiswant0/next-16.2.4-pocs) containing reverse‑engineered PoC material for all twelve CVEs, including vulnerability descriptions, patch diffs, exploit scripts, and minimal reproducible examples.

Patch Versions

Next.js 15.x branch : fixed in version 15.5.16

Next.js 16.x branch : fixed in version 16.2.5 (Turbopack users must upgrade to 16.2.6 )

react‑server‑dom‑webpack : fixed in versions 19.0.6 / 19.1.7 / 19.2.6

react‑server‑dom‑parcel : fixed in versions 19.0.6 / 19.1.7 / 19.2.6

react‑server‑dom‑turbopack : fixed in versions 19.0.6 / 19.1.7 / 19.2.6

Security outlets (Netlify, CyberPress, GBHackers, Cryptika Cybersecurity) reported that Vercel‑hosted deployments are immune to some of the flaws, but self‑hosted environments remain widely exposed.

Severity Distribution

High (6)

CVE‑2026‑44574 (GHSA‑492v‑c6pp‑mqqv) – Middleware bypass – Affects App Router dynamic routing

CVE‑2026‑44575 (GHSA‑267c‑6grr‑h53f) – Middleware bypass – Affects App Router .rsc / segment‑prefetch CVE‑2026‑44573 (GHSA‑36qx‑fr4f‑26g5) – Middleware bypass – Affects Pages Router + i18n

CVE‑2026‑44578 (GHSA‑c4j6‑fc7j‑m34r) – SSRF (critical) – Affects self‑hosted WebSocket upgrade

CVE‑2026‑23870 (GHSA‑8h8q‑6873‑q5fj) – DoS (deserialization) – Affects App Router Server Function

CVE‑2026‑44579 (GHSA‑mg66‑mrh9‑m8jx) – DoS (deadlock) – Affects Cache Components Partial Prerendering

Moderate (4)

CVE‑2026‑44581 (GHSA‑ffhc‑5mcf‑pf4q) – CSP nonce parsing XSS

CVE‑2026‑44580 (GHSA‑gx5p‑jg67‑6x7h) – beforeInteractive XSS

CVE‑2026‑44577 (GHSA‑h64f‑5h5j‑jqjh) – Image optimization decompression bomb

CVE‑2026‑44576 (GHSA‑wfc6‑r584‑vfw7) – RSC and HTML cache confusion

Low (2)

CVE‑2026‑44582 (GHSA‑vfv6‑92ff‑j949) – RSC cache hash weakening

CVE‑2026‑44572 (GHSA‑3g8h‑86w9‑wvmq) – Redirect cache poisoning

Three Core Risks Explained

SSRF – CVE‑2026‑44578

Manipulating a WebSocket upgrade request forces a self‑hosted Next.js server to issue arbitrary outbound requests. Exploitation scenarios include scanning cloud‑provider metadata endpoints (e.g., 169.254.169.254), accessing internal services, and lateral movement. Vercel‑hosted deployments are not affected; all self‑hosted Node.js deployments must be evaluated immediately.

DoS Dual Threat – CVE‑2026‑23870 & CVE‑2026‑44579

CVE‑2026‑23870 demonstrates a “fix‑then‑break” situation: the version that patched CVE‑2026‑23869 (19.0.5 / 19.1.6 / 19.2.5) itself contains the DoS flaw. Organizations that applied the earlier patch without the newer one remain vulnerable.

CVE‑2026‑44579 targets the Cache Components Partial Prerendering feature; a malicious POST can deadlock request bodies and exhaust connections. Vercel recommends edge‑level blocking of inbound requests containing the Next-Resume header as a temporary mitigation.

Middleware Bypass Triple – CVE‑2026‑44574 / ‑44575 / ‑44573

CVE‑2026‑44574 : injects dynamic route parameters to blind middleware matching.

CVE‑2026‑44575 : exploits .rsc and segment‑prefetch URL formats to bypass App Router middleware checks.

CVE‑2026‑44573 : leverages locale‑less data requests in Pages Router + i18n to bypass authentication and obtain SSR JSON.

Cloudflare WAF updates confirm that none of these bypasses can be reliably blocked by hosted WAF rules.

Impact of PoC Publication

The public release of the PoC repository turned theoretical risks into practical exploits; any attacker with modest skills can reproduce the vulnerabilities within minutes. The repository’s workshop link (Neo by ProjectDiscovery) further lowers the exploitation barrier. The GitHub Advisory Database and NVD have already indexed all twelve CVEs, and scanning tools are expected to incorporate detection rules within days.

Quick Impact Matrix

Next.js 15.x / 16.x self‑hosted – Exposure: High – Vercel immunity: Partial (SSRF/Cache DoS not immune)

Next.js 13.x / 14.x self‑hosted – Exposure: High – Vercel immunity: Partial

Vercel hosted (App Router) – Exposure: Medium – Vercel immunity: Most vulnerabilities immune

React Server Components package (RSC) – Exposure: High – Vercel immunity: N/A

React client‑side apps – Exposure: Low – Vercel immunity: N/A

Immediate Damage‑Control Actions

Upgrade immediately : Next.js to 15.5.16 / 16.2.5 (Turbopack users to 16.2.6); RSC packages to 19.0.6 / 19.1.7 / 19.2.6.

Edge mitigation : block inbound requests containing the Next-Resume header at the reverse‑proxy layer.

SSRF mitigation : deny unauthorized WebSocket upgrade requests and strip internal response headers.

WAF limitation : Cloudflare confirms network‑layer rules cannot fully block the issues; code‑level fixes are the only reliable solution.

Long‑Term Remediation Plan

P0 – within 24 hours : full upgrade of Next.js and RSC packages.

P0 – within 24 hours : verify lockfiles contain no vulnerable versions.

P1 – within 72 hours : review SSRF attack surface and restrict outbound traffic from self‑hosted Node.js.

P1 – current iteration : move authentication logic to the routing layer, removing middleware reliance.

P2 – ongoing : monitor GitHub Advisory for future disclosures (already four rounds).

Key Takeaway

Since December 2025, React Server Components have undergone at least four security announcement cycles, each introducing new DoS vectors after previous patches. This incident demonstrates that patches are not a one‑time fix; organizations must establish continuous monitoring for RSC‑related CVEs. Industries subject to GDPR, GB/T 22239, or PCI‑DSS face compliance liability if a data breach occurs within the narrow window between vulnerability disclosure and PoC publication (≈24 hours).