Millions of Next.js deployments worldwide are now at heightened risk after a comprehensive proof-of-concept (PoC) collection targeting 12 security vulnerabilities, all of which are now patched in Next.js v16.2.5 and v16.2.6, was publicly released, exposing the full attack surface of one of the internet’s most widely used React frameworks.
Security researcher dwisiswant0, working in collaboration with ProjectDiscovery’s Neo reverse-engineering platform, has published a detailed PoC repository covering every advisory fixed in the Next.js v16.2.4-to-v16.2.5 release window.
The collection, available on GitHub, delivers runnable exploit scripts, pre-patch source code excerpts, patch diffs, and minimal vulnerable application stubs, everything a red team or defensive researcher needs to validate detection and regression coverage.
The disclosures align with a coordinated security release by the Vercel and React teams on May 6, 2026, which simultaneously patched thirteen advisories across both Next.js and the upstream React Server Components (react-server-dom-*) packages.
12 Next.js Vulnerability
Cloudflare, Netlify, and other major hosting providers also shipped platform-level mitigations within 24–48 hours of disclosure. The PoC repository covers a diverse attack surface spanning denial-of-service, middleware bypass, SSRF, XSS, and cache poisoning. Here is the complete advisory matrix:
| CVE | GHSA | Severity | Attack Type |
|---|---|---|---|
| CVE-2026-23870 | GHSA-8h8q-6873-q5fj | High | React Server Action stream DoS |
| CVE-2026-44575 | GHSA-267c-6grr-h53f | High | App Router prefetch middleware bypass |
| CVE-2026-44579 | GHSA-mg66-mrh9-m8jx | High | next-resume connection exhaustion |
| CVE-2026-44574 | GHSA-492v-c6pp-mqqv | High | Dynamic-route & middleware mismatch |
| CVE-2026-44578 | GHSA-c4j6-fc7j-m34r | High | WebSocket upgrade SSRF (self-hosted) |
| CVE-2026-44573 | GHSA-36qx-fr4f-26g5 | High | Pages Router i18n data-route bypass |
| CVE-2026-44581 | GHSA-ffhc-5mcf-pf4q | Medium | CSP nonce parsing XSS |
| CVE-2026-44580 | GHSA-gx5p-jg67-6x7h | Medium | next/script beforeInteractive XSS |
| CVE-2026-44577 | GHSA-h64f-5h5j-jqjh | Medium | Image optimizer decompression bomb |
| CVE-2026-44576 | GHSA-wfc6-r584-vfw7 | Medium | RSC and HTML cache confusion |
| CVE-2026-44582 | GHSA-vfv6-92ff-j949 | Low | Weak _rsc cache-busting hash |
| CVE-2026-44572 | GHSA-3g8h-86w9-wvmq | Low | x-nextjs-data redirect cache poisoning |
CVE-2026-23870 – React Server Action Stream DoS: This upstream flaw in react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack allows a malicious payload to trigger memory exhaustion or excessive CPU consumption in any application using React Server Components. It affects Next.js versions ≥13.0.0 and is tracked as GHSA-rv78-f8rc-xrxh on the React side.
CVE-2026-44575 – App Router Prefetch Middleware Bypass: An attacker can craft segment-prefetch requests that bypass middleware.ts enforcement in the App Router entirely, evading authentication, authorization, and rate-limiting controls. A follow-up advisory (GHSA-26hh-7cqf-hhc6) addresses an incomplete fix when Turbopack is used.
CVE-2026-44574 – Dynamic Route Parameter Injection: This middleware/proxy bypass through dynamic route parameter injection affects all Next.js versions ≥15.4.0, enabling attackers to trigger unintended routing behavior and skip security middleware.
CVE-2026-44578 – WebSocket Upgrade SSRF: Restricted to self-hosted deployments, this Server-Side Request Forgery vulnerability allows an attacker to pivot internal network requests through a vulnerable Next.js server by abusing the WebSocket upgrade path.
Managed platform users on Netlify and Cloudflare are not affected, as those environments do not support WebSocket upgrades in the same code path.
CVE-2026-44579 – Connection Exhaustion DoS: Applications using the experimental Cache Components feature face a connection exhaustion attack via the next-resume mechanism that causes availability failures that can spike infrastructure costs, even on serverless platforms.
CVE-2026-44573 – i18n Data-Route Bypass: Pages Router applications using internationalization (i18n) routing are vulnerable to a middleware bypass via crafted data routes, affecting deployments running Next.js ≥12.2.0. Netlify confirmed that this particular bypass required a platform-specific fix shipped in OpenNext Netlify adapter v5.15.11.
Two medium-severity client-side XSS issues, CVE-2026-44581 (CSP nonce parsing) and CVE-2026-44580 (next/script beforeInteractive), apply regardless of hosting provider and can be triggered in any App Router or script-loading context that processes untrusted input.
The medium-severity CVE-2026-44577 is a decompression bomb in the Image Optimization API, relevant only to self-hosted Next.js instances.
Cache poisoning variants (CVE-2026-44576, CVE-2026-44582, CVE-2026-44572) exploit weaknesses in RSC response caching and x-nextjs-data header handling, enabling cache poisoning attacks against CDN layers that do not properly vary on RSC headers.
The vulnerable affected version range spans Next.js 12.2.0 through 16.2.4, covering years of deployments. Patches are available only in Next.js 15.5.18 and 16.2.6; older 13.x and 14.x branches will not receive backports and must be upgraded to a supported minor version.
For React Server Components used outside Next.js, upgrade react-server-dom-* to 19.0.6, 19.1.7, or 19.2.6 to match your React minor.
Mitigation
- Upgrade
nextto>=16.2.6or>=15.5.18and redeploy immediately - For Netlify users on Pages Router with i18n, upgrade
@netlify/plugin-nextjsto v5.15.11 - Block or sanitize the
x-nextjs-dataandx-middleware-subrequestheaders at the WAF or load balancer level as an interim defense - Audit all middleware-protected routes for unauthorized access using the PoC regression test suite
- If running self-hosted Next.js, prioritize patching CVE-2026-44578 (WebSocket SSRF) and CVE-2026-44577 (Image Optimizer DoS) as those attack vectors are exclusive to self-hosted environments
FAQ
Q1: Does upgrading to Next.js 16.2.6 fix all 12 CVEs?
Yes, Next.js 16.2.6 (and 15.5.18) patches all twelve advisories, plus the upstream React Server Components DoS (CVE-2026-23870) by bundling a patched react-server-dom-* dependency.
Q2: Are Vercel-hosted Next.js deployments affected?
Most high-severity self-hosted vectors (WebSocket SSRF, Image Optimizer DoS) do not apply to Vercel or Netlify-managed hosting. Still, middleware bypass and XSS issues affect all hosting environments and require an application-level upgrade.
Q3: Is the PoC collection legal to use?
The repository is intended exclusively for defensive research, regression testing, and detection engineering. Testing it against systems you own or are authorized to test is legal; testing it against unauthorized systems is illegal under computer fraud and abuse laws.
Q4: Can a WAF block these exploits without upgrading Next.js?
Cloudflare shipped WAF managed rule updates on May 6, 2026, as interim mitigations, but WAF rules are a temporary stopgap. Upgrading to a patched version of Next.js remains the only complete remediation for all 12 CVEs.
Site: https://thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
