Announcing: Netlify Database is now available

Posts tagged "Next-js"

Subscribe to feed

  • Security Update: Multiple vulnerabilities in Next.js and React

    May 8, 2026

    The Next.js and React teams have disclosed twelve security vulnerabilities: one in React Server Components and eleven in Next.js, all patched on May 6, 2026, plus a follow-up advisory on May 7. The issues span middleware/proxy bypass, cross-site scripting (XSS), server-side request forgery (SSRF), cache poisoning, and denial of service (DoS). No detailed proof-of-concept information has been published. Here’s what Netlify customers need to know.

    Summary

    If you run Next.js on Netlify, we strongly recommend upgrading next to 15.5.18 or 16.2.6 and redeploying. This also brings in the patched React Server Components dependency. Projects using Pages Router with i18n and Next.js Middleware / Proxy also need OpenNext Netlify Next.js adapter v5.15.11. If you use react-server-dom-* outside of Next.js, upgrade to 19.0.6 / 19.1.7 / 19.2.6 matching your React minor. See What should I do? for full steps.

    Netlify’s platform is not vulnerable to several of these CVEs. Image Optimization, WebSocket SSRF, RSC cache poisoning, and the cache-poisoned-redirect bypass do not affect Netlify projects. See Impact on Netlify for the per-CVE verdict.

    Vulnerabilities

    React (react-server-dom-*)

    This affects react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. The Next.js advisory GHSA-8h8q-6873-q5fj tracks the same issue downstream.

    VulnerabilitySeverityAffected versionsFixed in
    GHSA-rv78-f8rc-xrxh — DoS in Server Components (CVE-2026-23870)High19.0.0–19.0.5, 19.1.0–19.1.6, 19.2.0–19.2.519.0.6, 19.1.7, 19.2.6

    Next.js

    All Next.js issues are patched in 15.5.18 and 16.2.6. Earlier minors of 15.x and 16.x will not be patched; affected projects must upgrade to a patched minor.

    VulnerabilitySeverityAffected versions
    GHSA-8h8q-6873-q5fj — DoS with Server ComponentsHigh≥13.0.0
    GHSA-267c-6grr-h53f — Middleware / Proxy bypass in App Router via segment-prefetch routesHigh≥15.2.0
    GHSA-26hh-7cqf-hhc6 — Follow-up to GHSA-267c-6grr-h53f: incomplete fix for middleware.ts with TurbopackHigh≥15.2.0
    GHSA-mg66-mrh9-m8jx — DoS via connection exhaustion in apps using Cache ComponentsHigh≥15.0.0 (apps using Cache Components)
    GHSA-492v-c6pp-mqqv — Middleware / Proxy bypass through dynamic route parameter injectionHigh≥15.4.0
    GHSA-c4j6-fc7j-m34r — SSRF in applications using WebSocket upgradesHigh≥13.4.13
    GHSA-36qx-fr4f-26g5 — Middleware / Proxy bypass in Pages Router applications using i18nHigh≥12.2.0
    GHSA-ffhc-5mcf-pf4q — XSS in App Router applications using CSP noncesMedium≥13.4.0
    GHSA-gx5p-jg67-6x7h — XSS in beforeInteractive scripts with untrusted inputMedium≥13.0.0
    GHSA-h64f-5h5j-jqjh — DoS in the Image Optimization APIMedium≥10.0.0
    GHSA-wfc6-r584-vfw7 — Cache poisoning in React Server Component responsesMedium≥14.2.0
    GHSA-vfv6-92ff-j949 — Cache poisoning via collisions in React Server Component cache-bustingLow≥13.4.6
    GHSA-3g8h-86w9-wvmq — Middleware / Proxy redirects can be cache-poisonedLow≥12.2.0

    Impact on Netlify

    Denial of service

    GHSA-8h8q-6873-q5fj and GHSA-mg66-mrh9-m8jx are server-side denial-of-service (DoS) vulnerabilities. On Netlify, these have minimal impact: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your function costs. Note that Cache Components (GHSA-mg66-mrh9-m8jx) is an opt-in Next.js feature that is not enabled by default. Upgrading Next.js resolves both.

    GHSA-h64f-5h5j-jqjh affects the Next.js Image Optimization API. Netlify projects are not affected: this Next.js code path is not used on Netlify — image optimization is handled by Netlify Image CDN, a separate service that runs outside your project’s functions with its own protections against this class of issue.

    Middleware / proxy bypass

    These four CVEs affect Next.js middleware and proxy routing. Because Netlify runs Next.js middleware via our own edge function adapter, the impact varies per CVE:

    • GHSA-3g8h-86w9-wvmq (cache-poisoned redirects): Netlify projects are not affected. Our OpenNext Netlify Next.js adapter already varies cached responses on the x-nextjs-data header.
    • GHSA-492v-c6pp-mqqv (dynamic route parameter injection): Netlify projects are affected, and the upstream Next.js fix applies. Upgrading Next.js resolves the issue.
    • GHSA-36qx-fr4f-26g5 (Pages Router i18n bypass): Netlify projects using Pages Router with i18n and Next.js Middleware / Proxy are affected. The upstream Next.js patch alone does not resolve this on Netlify; a Netlify-specific fix shipped in OpenNext Netlify Next.js adapter v5.15.11. See how to upgrade below.
    • GHSA-267c-6grr-h53f (App Router segment-prefetch bypass) and GHSA-26hh-7cqf-hhc6 (follow-up): Netlify projects are affected, and the upstream Next.js fix applies. Upgrading Next.js resolves both.

    Cross-site scripting

    GHSA-ffhc-5mcf-pf4q and GHSA-gx5p-jg67-6x7h are client-side XSS vulnerabilities. Regardless of hosting provider, all apps using CSP nonces in App Router or passing untrusted input to beforeInteractive scripts may be vulnerable. Upgrade Next.js to remediate.

    Server-side request forgery

    GHSA-c4j6-fc7j-m34r affects applications using WebSocket upgrades. Netlify projects are not affected: Netlify Functions and Edge Functions do not support WebSocket upgrades, so this Next.js code path cannot be exercised on Netlify.

    Cache poisoning

    GHSA-wfc6-r584-vfw7 and GHSA-vfv6-92ff-j949 affect React Server Component response caching. Netlify projects are not affected: Netlify’s CDN does not rely on the _rsc cache-busting query parameter (so collisions in it cannot poison cache entries), and it honors Vary on RSC-related request headers.

    What should I do?

    We strongly recommend upgrading as soon as possible to patched releases:

    • Next.js projects: upgrade next to 15.5.18 or 16.2.6. This bundles the patched React Server Components dependency, so a separate react-server-dom-* upgrade is not needed.
    • Direct react-server-dom-* users (React Router RSC, Vite RSC plugin, custom RSC setups): upgrade react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack to 19.0.6, 19.1.7, or 19.2.6 — matching your React minor.

    For Next.js 13.x and 14.x users: patches are not planned for these versions. Consider upgrading to Next.js 15.x or 16.x.

    For projects using Pages Router with i18n and Next.js Middleware / Proxy (GHSA-36qx-fr4f-26g5), the upstream Next.js fix does not fully apply on Netlify. The fix ships in OpenNext Netlify Next.js adapter v5.15.11:

    • Auto-installed adapter (default): redeploy.
    • Manually installed adapter: upgrade @netlify/plugin-nextjs to v5.15.11 and redeploy. We recommend not pinning the adapter version so future fixes ship automatically.

    Note that any publicly available deploy previews and branch deploys may remain vulnerable until they are automatically deleted. Consider deleting these deploys manually.

    Resources

  • Security Update: DoS vulnerability in Next.js and React Server Components

    April 8, 2026

    A denial-of-service (DoS) vulnerability (CVE-2026-23869, CVSS 7.5) has been disclosed affecting React Server Components (RSCs), a feature used by Next.js and other React metaframeworks. A malicious payload can cause excessive CPU consumption. Here’s what Netlify customers need to know.

    Impact on Netlify

    Nominally, this is a server-side DoS vulnerability. However, on Netlify this has minimal impact: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your function costs.

    Affected frameworks

    All RSC frameworks are affected:

    • Next.js (see version table below)
    • React Router 7 (if using RSC preview)
    • Waku
    • @parcel/rsc
    • @vitejs/plugin-rsc

    Astro, Gatsby, and Remix are not affected.

    React affected versions

    See the React advisory for full details.

    Affected versionsFixed in
    19.0.0–19.0.419.0.5
    19.1.0–19.1.519.1.6
    19.2.0–19.2.419.2.5

    Next.js affected versions

    See the Next.js advisory for full details.

    Affected versionsFixed in
    13.3.0+EOL - no fix
    14.xEOL - no fix
    15.0.0–15.5.1415.5.15
    16.0.0–16.2.216.2.3

    What should I do?

    If any of your projects are using an affected version, we recommend upgrading as soon as possible to a patched release.

    For Next.js 13.x and 14.x users: patches are not planned for these versions. Consider upgrading to Next.js 15.x or 16.x.

    Note that any publicly available deploy previews and branch deploys may remain vulnerable until they are automatically deleted. Consider deleting these deploys manually.

    Resources

  • Security Update: DoS vulnerability in Next.js and React Server Components

    January 26, 2026

    A denial-of-service (DoS) vulnerability (CVE-2026-23864, CVSS 7.5) has been disclosed affecting React Server Components (RSCs), a feature used by Next.js and other React metaframeworks. A malicious payload can cause memory exhaustion or excessive CPU consumption. Next.js has also disclosed two unrelated medium-severity CVEs (CVE-2025-59471, CVE-2025-59472) patched in the same releases. Here’s what Netlify customers need to know.

    Impact on Netlify

    Nominally, this is a server-side DoS vulnerability. However, on Netlify this has minimal impact: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your function costs.

    Affected frameworks

    All RSC frameworks are affected:

    • Next.js (see version table below)
    • React Router 7 (if using RSC preview)
    • Waku
    • @parcel/rsc
    • @vitejs/plugin-rsc

    Astro, Gatsby, and Remix are not affected.

    React affected versions

    See the React blog post for full details.

    Affected versionsFixed in
    19.0.0–19.0.319.0.4
    19.1.0–19.1.419.1.5
    19.2.0–19.2.319.2.4

    Next.js affected versions

    See the Next.js advisory for full details.

    Affected versionsFixed in
    13.3.0+EOL - no fix
    14.xEOL - no fix
    15.0.0–15.0.715.0.8
    15.1.0–15.1.1015.1.11
    15.2.0–15.2.815.2.9
    15.3.0–15.3.815.3.9
    15.4.0–15.4.1015.4.11
    15.5.0–15.5.915.5.10
    15.x canaries15.6.0-canary.61
    16.0.0–16.0.1016.0.11
    16.1.0–16.1.416.1.5
    16.x canaries16.2.0-canary.9

    What should I do?

    If any of your projects are using an affected version, we recommend upgrading as soon as possible to a patched release.

    For Next.js 13.x and 14.x users: patches are not planned for these versions. Consider upgrading to Next.js 15.x or 16.x.

    Note that any publicly available deploy previews and branch deploys may remain vulnerable until they are automatically deleted. Consider deleting these deploys manually.

    Resources

  • Action required: React/Next.js CVE-2025-55184 and CVE-2025-55183

    December 11, 2025

    Update (2025-12-12 00:41 UTC): The React and Next.js patches initially published on Dec. 11 at 21:10 incompletely addressed the vulnerabilities. A follow-up CVE was issued and follow-up patches have been released by the React and Next.js teams. All versions below have been updated accordingly. If you upgraded during this 3.5-hour window, please upgrade again.

    Following last week’s critical vulnerability in React and Next.js, two additional vulnerabilities are being publicly disclosed today:

    Impact

    In both cases, all Next.js sites using App Router are vulnerable. This includes all v14 releases up to and including 14.2.33, all v15 releases up to and including 15.5.7, all v16 releases up to and including 16.0.8, and v13.4+ if opted into the experimental.serverActions flag. (In the case of CVE-2025-55183, only sites actually using any Server Actions are vulnerable.)

    We have collaborated with the React and Next.js teams to roll out mitigations to the Netlify network in advance of public disclosure.

    However, as we’ve seen in the past week, malicious actors around the world are constantly working to quickly identify novel ways to exploit newly published vulnerabilities. The best protection is to upgrade.

    What should I do?

    Upgrade as soon as possible. Both vulnerabilities are patched in all these releases:

    • Next.js 14.2.35
    • Next.js 15.0.7, 15.1.11, 15.2.8, 15.3.8, 15.4.10, or 15.5.9
    • Next.js 16.0.10

    As Next.js 13 has been unsupported for over a year, the Next.js team has chosen not to patch it. If your site uses Next.js 13.4+ and has opted in to the experimental.serverActions flag, we strongly recommend upgrading to 14.2.34 or later as soon as possible (note: v14 is also technically unsupported).

    To be abundantly clear: if you have upgraded to address last week’s CVE, you must upgrade once again.

    Other RSC frameworks

    These are React vulnerabilities, in the React Server Functions protocol present in all versions of React 19 up to and including 19.2.1.

    The following RSC implementations are therefore vulnerable: waku, @parcel/rsc, @vitejs/plugin-rsc, react-server-dom-parcel, react-server-dom-webpack, react-server-dom-turbopack, and the React Router 7 RSC preview.

    If you are using any of these, upgrade it to the latest version and upgrade react to 19.0.3, 19.1.4, or 19.2.3 as soon as possible.

    Resources

    We are working continually with the React and Next.js teams and are committed to keeping your sites secure on Netlify.

    This post was last updated on 2025-12-11 at 21:15 UTC

  • Netlify’s response to the critical React & Next.js security vulnerability

    December 3, 2025

    Update (2025-12-08 22:45 UTC): Sites that have not yet upgraded to a patched version of Next.js (or other affected framework) must upgrade immediately. Following upgrade, we also recommend rotating all credentials that are scoped for access within Netlify Functions, if you have been running a vulnerable version on or after December 4th, 2025 at 1:00 PM PT.

    Over the last many days, several variants of the original React2Shell exploit have emerged. Netlify is working alongside others in a coordinated industry effort to monitor for exploit variants and has been adjusting our blocking mechanisms accordingly.

    In addition to these attack blocking mechanisms, we are now blocking all further deploys for sites using versions of software affected by CVE-2025-55182 and CVE-2025-66478.

    Update (2025-12-06 19:15 UTC): An official npm package has been released to update affected Next.js apps. Use npx fix-react2shell-next to update now. For more information, check the github repository for react2shell.

    Update (2025-12-06 15:42 UTC): As this threat landscape is still evolving in real time, we advise all customers to immediately upgrade all React and Next.js projects to a patched version.

    Update (2025-12-06 09:24 UTC): We have deployed further mitigations for newly discovered exploit vectors.

    A critical vulnerability (CVE-2025-55182) was recently disclosed in React’s Server Functions protocol, a feature of React Server Components (RSC). React 19.0, 19.1, and 19.2 are affected.

    Working closely with the React and Next.js teams, we received early notice and immediately took action to protect our customers.

    The vulnerability can be exploited using all RSC implementations, including:

    In affected configurations, an attacker could craft a request that allows them to execute arbitrary code within the context of the victim’s app.

    On December 3, at 14:00 UTC, the Netlify team rolled out a patch that prevents this vulnerability from being exploited on our customers’ sites. Since that time, all Netlify customers are not vulnerable to the exploit. We have found no evidence of exploitation on any Netlify sites.

    Please upgrade all React and Next.js projects to a patched version immediately, and, in the case of Next.js, allow automatic updates of the OpenNext Netlify Next.js adapter.

    We are working continually with the React and Next.js teams and are committed to keeping your sites secure on Netlify.

    This post was last updated on 2025-12-08 at 22:45 UTC

  • Next.js 16 is ready to deploy on Netlify

    October 21, 2025

    The Next.js 16 release is here and Netlify is ready.

    Deploy the latest version, including Turbopack, React Compiler, and enhanced caching APIs, with zero configuration.

    • Turbopack (stable): Up to 10× faster Fast Refresh and 2-5× faster builds
    • React Compiler (stable): Automatic memoization for smoother re-renders
    • Improved caching APIs: revalidateTag with cacheLife profile argument for Stale-While-Revalidate behavior and Server Actions-only updateTag to immediately refresh cached data

    Template update

    We’ve updated the Next Platform Starter to v16, showcasing Turbopack and the new caching APIs in action. In our tests, the project saw a 2.8× faster next build with Turbopack.

    Upgrading to v16 on Netlify

    If you’re upgrading from v15, no Netlify configuration changes are required. Teams that have opted out of automatic updates for Netlify’s OpenNext adapter will need to manually upgrade, or simply opt back in to receive automatic updates.

    Resources

  • Security Update: Multiple vulnerabilities in Next.js

    August 30, 2025

    We are aware of recently disclosed vulnerabilities affecting Next.js applications:

    1. CVE-2025-55173: Next.js Image Optimization – Arbitrary File Download
    2. CVE-2025-57822: Next.js Middleware – SSRF via Misuse of next()
    3. CVE-2025-57752: Next.js Image Optimization – Cache Poisoning / Unauthorized Disclosure

    As a security precaution, we recommend upgrading to the latest versions of Next.js and enabling automatic updates of the OpenNext Netlify Next.js adapter.

    The engineering team at Netlify has reviewed these and determined the following impact on Netlify sites: *

    1. CVE-2025-55173: Next.js Image Optimization – Arbitrary File Download

    Sites on Netlify are not vulnerable.

    Next.js sites on Netlify use Netlify’s Image CDN instead of the affected built-in Next.js Image Optimization feature. Furthermore, Netlify Image CDN strips Content-Disposition headers, which is required for successful exploitation of this vulnerability. With this header removed it is not possible to force a file download or override the filename, even in case of a mismatch between the requested image type and the source file type.

    1. CVE-2025-57822: Next.js Middleware – SSRF via Misuse of next()

    Sites on Netlify are not vulnerable.

    Our OpenNext adapter uses Edge Functions to run middleware and relies on the context.next() API as the underlying implementation of NextResponse.next() calls, passing the original request URL and preventing this attack vector.

    1. CVE-2025-57752: Next.js Image Optimization – Cache Poisoning / Unauthorized Disclosure

    Next.js sites on Netlify are potentially vulnerable, if the sites use the next/image component to fetch images from a source that uses headers to conditionally serve images.

    Next.js sites using the next/image component will automatically opt into Netlify’s Image CDN which, by design, will automatically cache the source assets on Netlify’s Edge Cache. This means that a source image that is served behind an authorization header will get cached on the Netlify Edge Cache in order to improve performance. Upgrading to the newest version of Next.js will not change this behavior.

    If your Next.js site serves images from a protected source, we advise you to not use the next/image component so that you have full control over the caching and authorization strategies required for your use-case.

    We are working continually with the Next.js team and are committed to making your sites secure on Netlify.

  • Security Update: Next.js sites on Netlify not vulnerable to CVE-2025-32421

    May 15, 2025

    The Next.js team recently disclosed CVE-2025-32421, a low-severity vulnerability allowing for CDN cache poisoning in some scenarios.

    The engineering team at Netlify has confirmed that all Next.js sites on Netlify are not vulnerable. The vulnerability requires use of a CDN that may cache responses without explicit Cache-Control headers, but Netlify’s CDN never does so.

    As a general security precaution, we recommend upgrading to the latest versions of the Next.js framework and allowing automatic updates of the OpenNext Netlify Next.js adapter.