← All PostsPatch Your Next.js Now: 13 Vulnerabilities Fixed

Patch Your Next.js Now: 13 Vulnerabilities Fixed

May 24, 2026

If you're running Next.js in production and haven't updated in the last two weeks, stop what you're doing. Vercel shipped a coordinated security release on May 6 that patches 13 vulnerabilities — some of them serious enough that WAF rules alone won't protect you.

Here's everything you need to know.

What Was Patched

The release addresses vulnerabilities spanning middleware and proxy bypass, denial of service in React Server Components, DoS via Cache Components and the Image Optimization API, server-side request forgery via WebSocket upgrades, cache poisoning, and cross-site scripting via CSP nonces and beforeInteractive scripts.

The severity breakdown from Vercel's advisory:

High: DoS in React Server Components (CVE-2026-23870); DoS via connection exhaustion in apps using Cache Components; SSRF in apps handling WebSocket upgrade requests; auth bypass via App Router segment-prefetch URL; Pages Router i18n default-locale path bypass.

Moderate: Cache poisoning in React Server Component responses; XSS in App Router apps using CSP nonces; XSS in beforeInteractive scripts with untrusted input.

Low: Cache poisoning via collisions in RSC cache-busting.

The auth bypass vulnerabilities are the ones to pay attention to. Apps relying on middleware.js or proxy.js for authorization are directly affected. If that's how you're gating protected routes, this isn't optional.

Which Versions Are Affected

The flaws affect Next.js versions 13.x through 16.x using the App Router, as well as React Server Components packages for React 19.x.

What to Update To

Patched versions are Next.js 15.5.18 and 16.2.6. Patched React versions — 19.0.6, 19.1.7, and 19.2.6 — are also available, matching your current React minor.

npm install next@latest
# or pin to specific patched version
npm install next@15.5.18

Upgrading immediately is the only complete mitigation. WAF rules are not sufficient.

Netlify Deployments: Extra Step Required

If you host on Netlify, there's one more thing to do.

For projects using Pages Router with i18n and Next.js Middleware/Proxy, the upstream Next.js fix does not fully apply on Netlify. The fix ships in OpenNext Netlify Next.js adapter v5.15.11. If you're using the auto-installed adapter, a redeploy is enough. If you've manually installed it, upgrade @netlify/plugin-nextjs to v5.15.11 and redeploy.

Any publicly available deploy previews and branch deploys may remain vulnerable until deleted. Consider deleting these manually.

The WebSocket SSRF Is Worth Noting Specifically

Tracked as CVE-2026-44578, this high-severity flaw enables SSRF through crafted WebSocket upgrade requests on self-hosted Node.js deployments. An attacker can manipulate the server into proxying requests to arbitrary internal or external destinations — potentially exposing internal services or cloud metadata endpoints. Vercel-hosted deployments are explicitly noted as unaffected.

If you're self-hosting on Node.js and using WebSockets, this one's particularly nasty in cloud-native environments.

One More CVE to Know

A follow-up advisory on May 7 covered CVE-2026-29057 — an HTTP request smuggling vulnerability in rewrites, addressed by patching http-proxy. The May 6 release and this follow-up together are why you want the latest patch version, not just a minor bump.

tl;dr

Update to Next.js 15.5.18 or 16.2.6 right now. Bump React to the matching patched minor. If you're on Netlify with i18n + middleware auth, also update the OpenNext adapter. WAFs won't save you on the auth bypass — only the patch will.

Sources: Vercel Changelog, Netlify Changelog, Cryptika