Vercel

Next.js Releases Coordinated Security Update Addressing 13 Critical Vulnerabilities


Executive Summary

Next.js has shipped a coordinated security release addressing 13 vulnerabilities affecting Next.js and an upstream React Server Components dependency (CVE-2026-23870). The advisories cover high-severity issues including denial of service, authentication bypass, server-side request forgery, cache poisoning, and cross-site scripting. The company strongly recommends that all users of affected versions upgrade immediately, stating that patching is the only complete mitigation for these issues.

Key Takeaways

* Announcement: A coordinated security release patching 13 advisories for Next.js and React.

* Vulnerability Categories: The fixes address Denial of Service (DoS), Middleware/Proxy Bypass, Server-Side Request Forgery (SSRF), Cache Poisoning, and Cross-Site Scripting (XSS).

* Upstream Vulnerability: Includes a patch for a high-severity DoS vulnerability in React Server Components, tracked as CVE-2026-23870.

* Affected Versions: All versions of Next.js 13.x and 14.x, as well as Next.js versions up to 15.5.17 and 16.2.5.

* Required Action: Users must upgrade immediately to the patched versions, which are Next.js `15.5.18` or `16.2.6`, along with updated `react-server-dom-*` packages.

* Mitigation: Patching is the only reliable solution; the vulnerabilities cannot be consistently blocked at the Web Application Firewall (WAF) layer.

Strategic Importance

This comprehensive security release is critical for maintaining developer trust and protecting the vast ecosystem of applications built on the popular Next.js framework. It highlights the importance of swift, coordinated patching for interconnected dependencies within the modern web stack.

Original article