By Vercel published 13 security advisories for Next.js on May 7 — seven rated high severity. The vulnerabilities cover server-side request forgery, middleware authentication bypass, denial of service, cache poisoning, and cross-site scripting. If you self-host Next.js, you need to patch today. One detail matters immediately: the first release (15.5.16 / 16.2.5) ships with an incomplete middleware fix. Turbopack-enabled deployments need 15.5.18 or 16.2.6 to be fully protected. Skip the intermediate version and go straight to the latest.
The Worst CVE: WebSocket SSRF (CVE-2026-44578, CVSS 8.6)
This is the headline vulnerability. An unauthenticated attacker crafts a WebSocket upgrade request using an absolute-form URI — something like GET http:///latest/meta-data/ — and Next.js’s upgrade handler blindly proxies it to any internal host reachable on port 80. No credentials required. AWS instance metadata, GCP and Azure equivalent endpoints, internal admin panels, anything accessible from the server’s network perspective is reachable.
The flaw lives in router-server.ts and stems from a gap in validation: the WebSocket upgrade path did not apply the same routing safety checks that normal HTTP requests already had. Security firm Hadrian estimates roughly 79,000 self-hosted Next.js instances are currently exploitable via Shodan-indexed hosts. If your team runs Next.js behind a WAF and considers that sufficient — it is not. Vercel explicitly states patching is the only complete mitigation.
The Most Dangerous for Auth: Middleware Bypass (CVE-2026-44575 + CVE-2026-45109)
If your application relies on middleware.ts for authentication — which is the recommended Next.js pattern — this one deserves serious attention. When App Router prefetches route segments, it generates transport-specific requests like /dashboard.rsc. The middleware matcher did not consistently apply authorization checks to these .rsc variants. A crafted prefetch request can reach protected routes while bypassing middleware enforcement entirely.
Vercel shipped a fix in 15.5.16 / 16.2.5, then discovered it was incomplete: the fix failed to apply when Turbopack is the bundler (CVE-2026-45109). The complete fix landed in 15.5.18 / 16.2.6. This is not an edge case — Turbopack ships as the default bundler in Next.js 16. If you upgraded to 16.2.5 thinking you were protected on the middleware bypass, you are not. Netlify’s breakdown of all 13 advisories includes a clear timeline of both fixes.
The Upstream Problem: React RSC Denial of Service (CVE-2026-23870)
This one is not purely a Next.js bug — it lives in React’s Flight protocol deserialization. All three React Server Components packages are affected: react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Any framework using React 19 inherits this vulnerability, not just Next.js.
The attack is low-bandwidth and application-layer: a small number of carefully crafted HTTP requests triggers disproportionate CPU consumption in the deserialization logic. App Router Server Function endpoints are the entry point. Cloudflare’s WAF provides some coverage here based on prior React RSC rules, but upgrading React’s server packages to 19.2.6 is required for complete protection. Cloudflare’s mitigation page documents which specific rules apply and their limitations.
Who’s Actually Safe
Two groups need to verify their assumptions. First: teams running on Vercel’s hosting — you are genuinely not affected. Vercel manages the runtime and has already patched its infrastructure. Second: teams running behind a Cloudflare WAF who believe that is sufficient coverage. It is not. Cloudflare protects against the RSC DoS vulnerability through managed ruleset rules, but explicitly cannot safely block the SSRF or some of the cache poisoning CVEs without breaking legitimate application behavior. WAF protection is additive, not a replacement for patching.
Upgrade Path — and Why Next.js 16 Is Worth It
The security release makes the upgrade decision easy. Run the automated codemod to handle breaking changes:
npx @next/codemod@canary upgrade latestOr upgrade manually:
npm install next@16.2.6 react@19.2.6 react-dom@19.2.6If you are staying on 15.x for now:
npm install next@15.5.18 react@19.2.6 react-dom@19.2.6If the security context alone was not enough to make the upgrade compelling, Next.js 16 ships meaningful improvements. Turbopack is now the stable default bundler for both dev and production — production builds run 2-5x faster than Webpack, with near-instant HMR in large codebases. React Compiler 1.0 ships built-in, providing automatic memoization without manual useMemo and useCallback. And the new use cache directive with Cache Components replaces the older route segment config caching model with something more composable. The official Next.js 16 upgrade guide covers all breaking changes. The Hadrian SSRF technical analysis is worth reading before presenting this to your team.
What to Do Right Now
- Run
npx next --versionto confirm your current version - Target 16.2.6 (or 15.5.18 if staying on the 15.x line)
- Upgrade React server packages to 19.2.6 alongside Next.js
- If you use Cloudflare WAF — keep it, but do not treat it as sufficient coverage
- If you are Vercel-hosted — no action needed, but worth reviewing your middleware auth patterns regardless
