Critical Vulnerabilities in React and Next.js Require Immediate Updates

Critical Vulnerabilities in React and Next.js Require Immediate Updates

First seen 8 May 2026, 03:41 UTC Developers.CloudflareCybersecuritynewsGbhackersgithub.com 86% similarity 72.0

Article Content

Browse articles
ThreatCluster

Multiple critical vulnerabilities affecting React Server Components and .js have been disclosed, including denial of service, server-side request forgery, and middleware bypass issues. These flaws impact versions 13.x to 16.x of .js and 19.x of React Server Components. Vercel has released patches for these vulnerabilities, with CVE-2026-23870 published on 2026-05-06. Cloudflare has deployed WAF rules to mitigate some of the newly disclosed vulnerabilities but recommends that users update their applications directly. The vulnerabilities pose significant risks, including potential unauthorized access and service disruptions. Security professionals are urged to apply the updates immediately to protect their applications from exploitation. The vulnerabilities were disclosed with minimal advance notice, emphasizing the urgency of the situation.

Key Points: • Vulnerabilities affect React and .js versions 13.x to 16.x and 19.x respectively. • Critical flaws include denial of service, SSRF, and middleware bypass vulnerabilities. • Immediate updates are recommended as Cloudflare's WAF may not block all attack vectors.

ThreatCluster AI

Timeline

2025-12-11
CVE-2025-55184 published
Initial vulnerabilities affecting React Server Components disclosed, with a public PoC released shortly after.
Developers.Cloudflare
2026-01-26
CVE-2026-23864 published
Vulnerabilities affecting React Server Components disclosed, leading to security advisories.
Developers.Cloudflare
2026-05-06
CVE-2026-23870 published
New denial of service vulnerability in React Server Components disclosed, requiring immediate patching.
Developers.Cloudflare
Recent
Vercel releases security updates
Vercel has rolled out critical updates for .js to address multiple high-severity vulnerabilities.
Gbhackers
Recent
Cloudflare WAF rules deployed
Cloudflare has implemented WAF rules to mitigate some vulnerabilities but urges direct application updates.
Developers.Cloudflare

Community

Browse all →