Next.js Patches App Router Flaws as Middleware Bypass PoCs Spread
Vercel has released a broad set of security fixes for Next.js and related React Server Components, addressing more than a dozen vulnerabilities affecting App Router deployments across versions 13.x through 16.x and React Server Components 19.x. The disclosures include denial of service, server-side request forgery, cross-site scripting, cache poisoning, and multiple middleware authorization bypass conditions. Among the most serious issues is CVE-2026-23870 (GHSA-8h8q-6873-q5fj), a high-severity denial-of-service flaw in React Flight deserialization that can be triggered through crafted requests to App Router Server Function endpoints, causing excessive CPU consumption; fixes were issued in Next.js 15.5.16 and 16.2.5. Vercel also disclosed CVE-2026-44578, a high-severity SSRF issue in self-hosted Node.js deployments via crafted WebSocket upgrade requests.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Vercel publishes broader batch of Next.js and React security advisories
Vercel disclosed more than a dozen vulnerabilities affecting Next.js and related React Server Components, including middleware authorization bypass, SSRF, XSS, cache poisoning, and additional DoS issues. The advisories covered affected versions across Next.js 13.x through 16.x and React Server Components 19.x, with upgrade and mitigation guidance for users.
Vercel discloses and patches React Server Components DoS flaw
Vercel published a security advisory for CVE-2026-23870 / GHSA-8h8q-6873-q5fj, a denial-of-service issue in App Router deployments using vulnerable React Server Components packages. The company said crafted requests to Server Function endpoints could cause excessive CPU consumption and released fixes in Next.js 15.5.16 and 16.2.5.
Additional exploit and simulation tools expand CVE-2025-29927 exposure
Through April 2025, more GitHub projects released exploit code, scanners, and simulation environments for CVE-2025-29927. These references show broader public weaponization and testing support for the middleware bypass vulnerability.
Public PoCs for CVE-2025-29927 begin circulating
Multiple GitHub repositories published proof-of-concept material for CVE-2025-29927, a Next.js middleware authorization bypass issue. The PoCs describe bypassing protections in Next.js middleware, including abuse of the x-middleware-subrequest header.
Detection template for Next.js auth bypass appears on GitHub
A GitHub repository published a Nuclei template for CVE-2025-29927, indicating public detection guidance for the Next.js middleware authorization bypass vulnerability. This is the earliest reference in the provided material tied to the flaw.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
23 references tracked. Mallory keeps watching after this page renders.
GitHub - lirantal/vulnerable-nextjs-14-CVE-2025-29927 · GitHub
github.com
Open sourceMultiple Critical Vulnerabilities Patched in Next.js and React Server Components
cybersecuritynews.com
Open sourceDenial of Service with Server Components · Advisory · vercel/next.js · GitHub
github.com
Open sourceGitHub - DanielHallbro/CVE-2025-29927-Nextjs-Bypass-PoC: A Proof of Concept for CVE-2025-29927 demonstrating a middleware bypass in Next.js versions prior to 13.5.9 · GitHub
github.com
Open sourceGitHub - Oyst3r1ng/CVE-2025-29927: Next.js Middleware Auth Bypass · GitHub
github.com
Open sourceGitHub - azu/nextjs-cve-2025-29927-poc: Next.js PoC for CVE-2025-29927 · GitHub
github.com
Open sourceGitHub - emadshanab/CVE-2025-29927: New nuclei CVE · GitHub
github.com
Open sourceGitHub - 6mile/nextjs-CVE-2025-29927: A Nuclei template to detect CVE-2025-29927 the Next.js authentication bypass vulnerability · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Next.js patches SSRF and authorization bypass flaws in self-hosted apps
Vercel issued a coordinated Next.js security release covering 13 advisories, including a high-severity server-side request forgery flaw tracked as **CVE-2026-44578** / `GHSA-c4j6-fc7j-m34r`. The bug affects self-hosted applications using the built-in Node.js server, where crafted WebSocket upgrade requests can be abused to proxy traffic to arbitrary internal or external destinations. That exposure can let attackers reach cloud metadata endpoints, internal admin interfaces, and other internal services, potentially stealing cloud credentials, API keys, and deployment secrets. Vercel-hosted deployments were reported as unaffected because they do not use the vulnerable WebSocket routing path. The release also fixed an App Router authorization bypass, `GHSA-267c-6grr-h53f`, in which specially crafted `.rsc` and segment-prefetch URLs could evade middleware or proxy-based access controls and expose protected content. A public GitHub repository has since collected proof-of-concept material for 12 issues fixed in `next` 16.2.5, including SSRF, middleware bypass, cache poisoning, XSS, and denial-of-service bugs, increasing the urgency for defenders to patch. Vercel said patching is the only complete mitigation and advised upgrading to **Next.js** `15.5.18` or `16.2.6`, with immediate interim steps including blocking unnecessary WebSocket upgrades, restricting origin-server egress to metadata and internal networks, and enforcing authorization checks in route or page logic rather than relying solely on middleware.
May 25, 2026
Critical React Server Components Flaws Expose Next.js App Router Deployments
Next.js disclosed a **critical remote code execution** vulnerability affecting applications that use the **App Router**, tracing the issue to the upstream React Server Components protocol as `CVE-2025-55182` and the downstream Next.js impact as `CVE-2025-66478`. The flaw carries a **CVSS 10.0** rating and can be triggered by attacker-controlled requests in unpatched environments, with maintainers warning that **no workaround exists**. Affected releases include multiple `15.x` and `16.x` branches and `14.3.0-canary.77` and later canary builds, while `13.x`, stable `14.x`, **Pages Router** applications, and the **Edge Runtime** were reported as unaffected. Next.js issued patched releases, published the `fix-react2shell-next` npm remediation tool, and advised organizations whose applications were online and unpatched at the disclosed cutoff to **rotate secrets after patching**. The company later reported two additional upstream React Server Components issues with downstream impact on Next.js App Router deployments: `CVE-2025-55184`, a **high-severity denial-of-service** flaw that can hang the server process through a crafted HTTP request, and `CVE-2025-55183`, a **medium-severity source code exposure** bug that can cause a Server Function to return compiled source code from other Server Functions. Next.js said neither new issue enables remote code execution and that the earlier React2Shell mitigation remains effective, but it also acknowledged that the initial fix for `CVE-2025-55184` was incomplete and was superseded by `CVE-2025-67779`, forcing some users to upgrade again. The affected range spans App Router deployments from `13.3` across several `14.x`, `15.x`, and `16.x` release lines, and the vendor again said **Pages Router** applications are not affected and urged immediate upgrades to the latest patched versions.
Mar 31, 2026
React Router Flaws Expose Servers to RCE, XSS, and DoS
Multiple vulnerabilities were disclosed in the widely used React Router `npm` package, including a reported remote code execution issue tracked as **CVE-2026-42211** that researchers said could allow unauthenticated attackers to gain shell access when chained with an existing prototype pollution weakness. Additional flaws include **CVE-2026-33245**, a client-side cross-site scripting bug in redirect handling for applications using unstable React Server Components APIs, plus **CVE-2026-34077** and **CVE-2026-42342**, two denial-of-service issues tied to serialization and manifest endpoint performance that can crash or degrade backend services. The XSS issue affects React Router versions `7.7.0` through `7.13.1` when redirects originate from untrusted sources and use `javascript:` targets; applications not using the unstable RSC APIs or running in standard Declarative Mode are not impacted. Maintainers patched **CVE-2026-33245** in React Router `7.13.2`, while broader mitigation for the full set of reported issues requires upgrading to React Router `7.15.0` or Remix `2.17.5`.
Jun 4, 2026