Back

Critical Vulnerabilities in React and Next.js Require Immediate Updates

Severity: High (Score: 72.0)

Sources: Gbhackers, Developers.Cloudflare, github.com, Cybersecuritynews

Summary

Multiple critical vulnerabilities affecting React Server Components and .js have been disclosed, including denial of service, server-side request forgery, and middleware bypass issues. These flaws impact versions 13.x to 16.x of .js and 19.x of React Server Components. Vercel has released patches for these vulnerabilities, with CVE-2026-23870 published on 2026-05-06. Cloudflare has deployed WAF rules to mitigate some of the newly disclosed vulnerabilities but recommends that users update their applications directly. The vulnerabilities pose significant risks, including potential unauthorized access and service disruptions. Security professionals are urged to apply the updates immediately to protect their applications from exploitation. The vulnerabilities were disclosed with minimal advance notice, emphasizing the urgency of the situation. Key Points: • Vulnerabilities affect React and .js versions 13.x to 16.x and 19.x respectively. • Critical flaws include denial of service, SSRF, and middleware bypass vulnerabilities. • Immediate updates are recommended as Cloudflare's WAF may not block all attack vectors.

Key Entities

  • Authentication Bypass (attack_type)
  • DDoS (attack_type)
  • Denial of Service (attack_type)
  • Server-Side Request Forgery (attack_type)
  • XSS (vulnerability)
  • React (platform)
  • App Router (platform)
  • Next.js (platform)
  • React Server Components (platform)
  • Vercel (company)
  • CVE-2025-55184 (cve)
  • CVE-2026-23864 (cve)
  • CVE-2026-23870 (cve)
  • CWE-287 - Improper Authentication (cwe)
  • Cwe-79 - Cross-site Scripting (xss) (cwe)
  • Cwe-918 - Server-Side Request Forgery (ssrf) (cwe)
  • OpenNext (tool)
  • Vinext (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed