SB2026050696 - Multiple vulnerabilities in Next.js
Published: May 6, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 12 vulnerabilities.
1) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-23870)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in server function endpoints when handling specially crafted HTTP requests. A remote attacker can send specially crafted HTTP requests to cause a denial of service.
This can lead to out-of-memory exceptions or excessive CPU usage.
2) Authentication bypass using an alternate path or channel (CVE-ID: N/A)
The vulnerability allows a remote attacker to disclose protected content.
The vulnerability exists due to authentication bypass using an alternate path or channel in middleware matchers for App Router applications when handling segment-prefetch and .rsc route variants. A remote attacker can send specially crafted segment-prefetch or .rsc requests to disclose protected content.
The issue affects applications that rely on middleware or proxy-based authorization checks for protection.
3) Cross-site scripting (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary script in victims' browsers.
The vulnerability exists due to cross-site scripting in App Router HTML rendering when processing malformed nonce values derived from request headers behind shared caches. A remote attacker can supply a malformed nonce value to poison cached responses and execute arbitrary script in victims' browsers.
User interaction is required, and exploitation affects App Router applications that rely on CSP nonces when deployed behind shared caches.
4) Reversible One-Way Hash (CVE-ID: N/A)
The vulnerability allows a remote attacker to poison shared cache entries and cause users to receive the wrong response variant for a given URL.
The vulnerability exists due to use of a weak hash in the React Server Component cache-busting mechanism when generating the _rsc cache-busting value for shared caches with insufficient response partitioning. A remote attacker can trigger collisions in crafted requests to poison shared cache entries and cause users to receive the wrong response variant for a given URL.
Only deployments that rely on shared caches with insufficient response partitioning are vulnerable.
5) Cross-site scripting (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary JavaScript in a visitor's browser.
The vulnerability exists due to improper neutralization of input during web page generation in beforeInteractive script content serialization when embedding untrusted content into the document. A remote attacker can supply specially crafted input to execute arbitrary JavaScript in a visitor's browser.
User interaction is required to load the affected page.
6) Resource exhaustion (CVE-ID: N/A)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper request handling in the Cache Components feature when processing crafted POST requests to a server action. A remote attacker can send a specially crafted request to cause a denial of service.
Only applications using Partial Prerendering through the Cache Components feature are vulnerable. The issue can trigger a request-body handling deadlock that leaves connections open for an extended period, consuming file descriptors and server capacity.
7) Authentication bypass using an alternate path or channel (CVE-ID: N/A)
The vulnerability allows a remote user to bypass authorization checks and access protected content.
The vulnerability exists due to authentication bypass using an alternate path or channel in middleware protection for dynamic routes when handling specially crafted query parameters. A remote user can send specially crafted query parameters to bypass authorization checks and access protected content.
The issue affects applications that rely on middleware path matching to protect dynamic routes.
8) Allocation of Resources Without Limits or Throttling (CVE-ID: N/A)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in the Image Optimization API when handling requests to the /_next/image endpoint for large local assets matching configured local patterns. A remote attacker can request large local assets to cause a denial of service.
Only self-hosted deployments using the default image loader are vulnerable. By default, all local patterns are allowed.
9) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in WebSocket upgrade handling in the built-in Node.js server when processing crafted WebSocket upgrade requests. A remote attacker can send a specially crafted WebSocket upgrade request to disclose sensitive information.
Only self-hosted applications using the built-in Node.js server are affected; Vercel-hosted deployments are not affected.
10) Interpretation Conflict (CVE-ID: N/A)
The vulnerability allows a remote attacker to cause cache poisoning that results in component payloads being served instead of the expected HTML.
The vulnerability exists due to interpretation conflict in React Server Component response handling when shared caches do not correctly partition response variants. A remote attacker can cause an RSC response to be served from the original URL to cause cache poisoning that results in component payloads being served instead of the expected HTML.
The issue affects applications using React Server Components with shared caches under affected conditions.
11) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in middleware authorization for Pages Router data routes when handling locale-less /_next/data//.json requests. A remote attacker can send a specially crafted request to disclose sensitive information.
Only applications using the Pages Router with i18n configured and relying on middleware or proxy-based authorization for protected page data are vulnerable.
12) Acceptance of Extraneous Untrusted Data With Trusted Data (CVE-ID: N/A)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to acceptance of extraneous untrusted data with trusted data in middleware / proxy redirect handling when processing a normal request with a spoofed x-nextjs-data header on a path that returns a redirect. A remote attacker can send a specially crafted request to cause a denial of service.
Exploitation requires the application to be deployed behind a caching CDN or reverse proxy that caches 3xx responses for the affected path without varying on the x-nextjs-data header.
Remediation
Install update from vendor's website.
References
- https://github.com/vercel/next.js/security/advisories/GHSA-8h8q-6873-q5fj
- https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f
- https://github.com/vercel/next.js/security/advisories/GHSA-ffhc-5mcf-pf4q
- https://github.com/vercel/next.js/security/advisories/GHSA-vfv6-92ff-j949
- https://github.com/vercel/next.js/security/advisories/GHSA-gx5p-jg67-6x7h
- https://github.com/vercel/next.js/security/advisories/GHSA-mg66-mrh9-m8jx
- https://github.com/vercel/next.js/security/advisories/GHSA-492v-c6pp-mqqv
- https://github.com/vercel/next.js/security/advisories/GHSA-h64f-5h5j-jqjh
- https://github.com/vercel/next.js/security/advisories/GHSA-c4j6-fc7j-m34r
- https://github.com/vercel/next.js/security/advisories/GHSA-wfc6-r584-vfw7
- https://github.com/vercel/next.js/security/advisories/GHSA-36qx-fr4f-26g5
- https://github.com/vercel/next.js/security/advisories/GHSA-3g8h-86w9-wvmq