Next.js patches multiple critical bugs

Next.js just had one of those security weeks that makes framework maintainers and app teams both stop what they’re doing. Vercel’s GitHub advisories and changelog posts show a cluster of newly disclosed bugs across middleware, App Router, caching, image optimization, and React Server Components. (github.com) Some are “just” denial-of-service issues. Some can bypass protections or open SSRF paths. And one of the latest notices is an incomplete-fix follow-up — which is the part that should make already-patched teams look twice. (github.com) ### What actually shipped this week? The short version is a batch of advisories, not one single CVE. The Next.js security advisory page shows new entries published over the last two days for middleware or proxy bypasses, cross-site scripting, SSRF tied to WebSocket upgrades, cache poisoning, image optimization DoS, and App Router or Server Components denial-of-service bugs. (github.com) That tells you this was a coordinated disclosure-and-patch wave, not a one-off bugfix. ### Which bugs look most urgent? The highest-risk items are the ones that need no privileges and can be triggered over the network. One new advisory says a crafted request to an App Router Server Function endpoint can drive excessive CPU usage and cause denial of service, with affected versions stretching across Next.js 13.x through 16.x on the App Router path. (github.com) GitHub lists patched versions at 15.5.16 and 16.2.5 for that issue. ### Why do React Server Components keep showing up? Because the vulnerable code is not just “a Next.js thing.” Vercel’s earlier security summary for CVE-2026-23864 says multiple high-severity React Server Components flaws could crash servers, exhaust memory, or burn CPU when a malicious request hits Server Function endpoints. (github.com) The blast radius includes React packages and downstream frameworks that embed them — Next.js among them. Basically, if your app uses the App Router and Server Functions, you are sitting close to the hot path. ### What’s the deal with the incomplete fix? This is the nastier operational detail. A new advisory published yesterday says the earlier fix for CVE-2026-44575 did not apply to `middleware.ts` when Turbopack was involved. (github.com) In plain English — some teams may have patched the original middleware bypass and still remained vulnerable in a specific setup. GitHub lists fresh patched versions at 15.5.18 and 16.2.6. ### Are Vercel-hosted apps already protected? Partly, but not enough to call it done. Vercel says it pushed WAF rules and platform mitigations for the React Server Components DoS issues, including CVE-2026-23869 and CVE-2026-23864. But the company also says not to rely on the WAF for full protection and to upgrade immediately to patched releases. (vercel.com) That’s an important distinction — edge mitigation can buy time, but it is not the same thing as removing the vulnerable code path. ### Which versions should teams move to? For the RSC-related DoS issues, the fixes landed in different trains depending on which branch you’re on. Vercel lists fixes for one January RSC bundle in versions including 15.5.10 and 16.0.11, and later April and May advisories move the floor again to 15.5.15, 15.5.16, 15.5.18, 16.2.3, 16.2.5, and 16.2.6 for separate bugs. (github.com) The practical takeaway is simple — don’t cherry-pick from memory. Check every advisory that matches your major and minor version. ### What should app teams do right now? Upgrade Next.js first. Then review whether you use App Router, Server Functions, middleware, Turbopack, image optimization, custom caching behavior, or WebSocket upgrade flows — those are the areas named in the latest advisories. (vercel.com) After that, retest auth boundaries and any request-rewriting logic. Security bugs in frameworks are dangerous because they sit underneath application code that otherwise looks perfectly fine. ### Bottom line? This wasn’t one bug. It was a stack of them, and at least one patch needed another patch. If you run Next.js in production, especially with App Router features, the safe assumption is that “recently updated” may not mean “fully fixed” anymore. (github.com) (vercel.com)