---
title: "Security | Netlify Changelog"
description: "Get the latest updates on Netlify products and features to meet your developer needs."
source: "https://www.netlify.com/changelog/tag/security/"
last_updated: "2026-07-06T07:14:14.000Z"
---
# Posts tagged "Security"

All Tags Agent-runners AI Ai-gateway Angular Astro AX Build CLI Database Design Devtools Domains E-commerce Extensions Forms Framework Functions Logs Next.js Nuxt.js Remix SDK Security Updates Workflow  [Subscribe to feed](https://www.netlify.com/changelog/tag/security/feed.xml)

-   [
    
    ## SAML provisioning upgrades for assigning default roles
    
    ](/changelog/2026-06-22-saml-provisioning-role-options/)
    
    June 22, 2026
    
    -   [security](/changelog/tag/security/)
    
    When you provision new users through SAML SSO, you now have more options for assigning a default role.
    
    Before this update, the Developer role was assigned by default. Now you can assign other roles with fewer permissions, such as [Reviewers](https://docs.netlify.com/manage/accounts-and-billing/team-management/roles-and-permissions/#reviewer) and [Internal Builders](https://docs.netlify.com/manage/accounts-and-billing/team-management/roles-and-permissions/#internal-builder).
    
    Learn more about your options for provisioning with [SAML SSO on Netlify](https://docs.netlify.com/manage/security/secure-netlify-access/configure-organization-saml-sso/).
    
    [Permalink to SAML provisioning upgrades for assigning default roles Permalink](/changelog/2026-06-22-saml-provisioning-role-options/)
    
-   [
    
    ## Security update: multiple vulnerabilities in React Router
    
    ](/changelog/2026-06-02-react-router-security-vulnerabilities/)
    
    June 2, 2026
    
    -   [security](/changelog/tag/security/)
    -   [remix](/changelog/tag/remix/)
    
    The React Router team has disclosed seven security vulnerabilities. Here’s what Netlify customers need to know.
    
    ## Vulnerabilities
    
    Vulnerability
    
    Package
    
    Affected versions
    
    Fixed in
    
    [GHSA-8x6r-g9mw-2r78](https://github.com/remix-run/react-router/security/advisories/GHSA-8x6r-g9mw-2r78) — DoS via `__manifest` endpoint
    
    `react-router`
    
    7.0.0–7.14.x
    
    7.15.0
    
    [GHSA-rxv8-25v2-qmq8](https://github.com/remix-run/react-router/security/advisories/GHSA-rxv8-25v2-qmq8) — DoS via single-fetch request body
    
    `react-router`
    
    7.0.0–7.13.x
    
    7.14.0
    
    [GHSA-8646-j5j9-6r62](https://github.com/remix-run/react-router/security/advisories/GHSA-8646-j5j9-6r62) — XSS via `javascript:` redirect in unstable RSC
    
    `react-router`
    
    7.7.0–7.13.1
    
    7.13.2
    
    [GHSA-49rj-9fvp-4h2h](https://github.com/remix-run/react-router/security/advisories/GHSA-49rj-9fvp-4h2h) — RCE when chained with prototype pollution
    
    `react-router`
    
    7.5.2–7.14.1
    
    7.14.2
    
    [GHSA-2j2x-hqr9-3h42](https://github.com/remix-run/react-router/security/advisories/GHSA-2j2x-hqr9-3h42) — Protocol-relative open redirect
    
    `react-router`
    
    7.0.0–7.14.0
    
    7.14.1
    
    [GHSA-f22v-gfqf-p8f3](https://github.com/remix-run/react-router/security/advisories/GHSA-f22v-gfqf-p8f3) — Stored XSS in prerendered redirect HTML
    
    `@react-router/dev`
    
    7.0.0–7.13.1
    
    7.13.2
    
    [GHSA-84g9-w2xq-vcv6](https://github.com/remix-run/react-router/security/advisories/GHSA-84g9-w2xq-vcv6) — CSRF check bypassed for PUT/PATCH/DELETE
    
    `react-router`
    
    7.12.0–7.15.0
    
    7.15.1
    
    ## Impact on Netlify
    
    ### GHSA-8x6r-g9mw-2r78 and GHSA-rxv8-25v2-qmq8 (denial of service)
    
    These are server-side denial-of-service (DoS) vulnerabilities. **On Netlify, these have minimal impact**: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your function costs.
    
    ### GHSA-8646-j5j9-6r62 (XSS in unstable RSC)
    
    This vulnerability affects apps using the experimental `unstable_*` RSC APIs where an attacker can control a redirect target. Only apps using these unstable APIs are affected.
    
    **Regardless of hosting provider, affected apps passing untrusted input into RSC redirect calls may be vulnerable.**
    
    ### GHSA-49rj-9fvp-4h2h (RCE when chained)
    
    **This vulnerability is not directly exploitable against React Router alone.** Reaching the vulnerable code path requires the application to first be independently vulnerable to a prototype pollution attack.
    
    ### GHSA-2j2x-hqr9-3h42 (open redirect)
    
    Apps that redirect users to attacker-supplied URLs with the intent to restrict them to the same origin may inadvertently allow protocol-relative redirects to external origins.
    
    **Regardless of hosting provider, all affected apps passing untrusted input to `redirect()` may be vulnerable.**
    
    ### GHSA-f22v-gfqf-p8f3 (stored XSS in prerendering)
    
    This vulnerability affects apps using the prerendering feature (`prerender: [...]` in `react-router.config.ts`). If any redirect target baked into a prerendered build originates from external or attacker-controlled data, the static artifact remains affected until a fresh build is run with a patched version.
    
    **Regardless of hosting provider, all affected apps using prerendering with externally sourced redirect targets may be vulnerable.**
    
    ### GHSA-84g9-w2xq-vcv6 (CSRF bypass for PUT/PATCH/DELETE)
    
    The CSRF origin check introduced in React Router 7.12.0 only applied to `POST` requests on the document-request path, leaving `PUT`, `PATCH`, and `DELETE` unchecked. In practice, exploitation additionally requires the app to have explicitly opened CORS for those methods and to be issuing session cookies with `SameSite=None`.
    
    **Regardless of hosting provider, this only poses a meaningful risk in apps with permissive cross-origin configurations.**
    
    ## What should I do?
    
    We strongly recommend upgrading as soon as possible to patched releases:
    
    -   `react-router` 7.15.1 or later
    -   `@react-router/dev` 7.13.2 or later (if using prerendering)
    
    If your app uses prerendering, trigger a fresh build after upgrading to regenerate any affected static assets.
    
    Note that any publicly available deploy previews and branch deploys may remain vulnerable until they are [automatically deleted](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#automatic-deploy-deletion). Consider [deleting these deploys manually](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#manual-deploy-deletion-through-the-netlify-ui).
    
    [Permalink to Security update: multiple vulnerabilities in React Router Permalink](/changelog/2026-06-02-react-router-security-vulnerabilities/)
    
-   [
    
    ## Security update: multiple vulnerabilities in Nuxt
    
    ](/changelog/2026-05-19-nuxt-security-vulnerabilities/)
    
    May 19, 2026
    
    -   [security](/changelog/tag/security/)
    -   [nuxt.js](/changelog/tag/nuxt-js/)
    
    The Nuxt team has disclosed four security vulnerabilities. Here’s what Netlify customers need to know.
    
    ## Vulnerabilities
    
    -   [**CVE-2026-47200**](https://github.com/nuxt/nuxt/security/advisories/GHSA-hg3f-28rg-4jxj): Route middleware bypass via island page endpoints (nuxt 3.11.0–3.21.5, 4.0.0-alpha.1–4.4.5)
    -   [**CVE-2026-46342**](https://github.com/nuxt/nuxt/security/advisories/GHSA-g8wj-3cr3-6w7v): Island response not validated against request props (nuxt 3.1.0–3.21.5, 4.0.0-alpha.1–4.4.5)
    -   [**CVE-2026-45670**](https://github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g): Dev server exposes built source over LAN (nuxt 3.15.4–3.21.5, 4.0.0-alpha.1–4.4.5)
    -   [**CVE-2026-45669**](https://github.com/nuxt/nuxt/security/advisories/GHSA-fx6j-w5w5-h468): Reflected XSS via `navigateTo` with `external: true` (nuxt 3.4.3–3.21.5, 4.0.0-alpha.1–4.4.5)
    
    ## Impact on Netlify
    
    ### CVE-2026-47200 (route middleware bypass)
    
    When component islands are enabled — the default in Nuxt 4, and available via an opt-in flag in Nuxt 3 — `.server.vue` page files are accessible via `/__nuxt_island/page_*` endpoints that render pages without invoking Vue Router, bypassing route middleware entirely. An unauthenticated attacker can request these endpoints directly to access pages that rely solely on middleware for access control.
    
    **Regardless of hosting provider, all affected Nuxt apps using `.server.vue` pages with route-middleware-only authentication are vulnerable.**
    
    ### CVE-2026-46342 (island cache poisoning)
    
    The `/__nuxt_island/*` endpoint accepts props via query parameters without server-side hash validation, allowing the same path to return different content depending on query parameters. If an upstream cache keys on path only, an attacker can inject crafted props into cached responses — enabling XSS if the application renders those props through unsafe HTML sinks.
    
    On Netlify, [cached function responses vary by query string](https://docs.netlify.com/build/caching/caching-overview/#default-caching-behavior). **This vulnerability requires overriding Netlify’s default `Netlify-Vary` behavior and is not exploitable in standard Netlify deployments.**
    
    ### CVE-2026-45670 (dev server source exposure)
    
    Running `nuxt dev --host` binds the development server to a non-loopback address; with the rspack or webpack builder (not the default Vite builder), malicious sites on the same network can access the application’s source code. This only affects local development environments.
    
    **Netlify production deployments are not affected.** Developers should avoid using `--host` with rspack or webpack builders, or upgrade to patch the issue.
    
    ### CVE-2026-45669 (reflected XSS via `navigateTo`)
    
    When `navigateTo()` is called with `external: true`, Nuxt generates a server-side HTML meta-refresh redirect. The destination URL is insufficiently sanitized — HTML-significant characters are not encoded, so an attacker who controls the URL parameter can inject arbitrary scripts that execute before the redirect occurs.
    
    **Regardless of hosting provider, all apps passing untrusted user input to `navigateTo()` with `external: true` are vulnerable.**
    
    ## What should I do?
    
    We strongly recommend upgrading as soon as possible to patched releases:
    
    -   `nuxt` 3.21.6 or later (for Nuxt 3.x), or 4.4.6 or later (for Nuxt 4.x)
    -   `@nuxt/rspack-builder` and `@nuxt/webpack-builder` 3.21.6 or later, or 4.4.6 or later (if applicable)
    
    Note that any publicly available deploy previews and branch deploys may remain vulnerable until they are [automatically deleted](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#automatic-deploy-deletion). Consider [deleting these deploys manually](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#manual-deploy-deletion-through-the-netlify-ui).
    
    ## Resources
    
    -   [Nuxt security advisories](https://github.com/nuxt/nuxt/security)
    
    [Permalink to Security update: multiple vulnerabilities in Nuxt Permalink](/changelog/2026-05-19-nuxt-security-vulnerabilities/)
    
-   [
    
    ## Block project transfers out of your team
    
    ](/changelog/2026-05-08-block-project-transfers/)
    
    May 8, 2026
    
    -   [security](/changelog/tag/security/)
    -   [workflow](/changelog/tag/workflow/)
    
    Team Owners can now guarantee that projects stay within the team to meet compliance or ownership requirements by blocking every project from being transferred to another team.
    
    Once a Team Owner blocks project transfers out of the team, even the Team Owner cannot transfer projects out of the team unless they change this setting, which is tracked in the team’s audit log.
    
    ## Try it out
    
    To change the setting, go to **Team settings > Access & security > Transfer site settings** and select **Edit settings**.
    
    ![Transfer project settings panel showing Allowed and Blocked options for project transfers](/images/changelog/block-project-transfers-setting.png)
    
    When transfers are blocked, the **Transfer project** action is hidden for every project owned by the team and the backend rejects transfer requests for those projects.
    
    ## Enterprise defaults
    
    Enterprise teams start with project transfers set to **Blocked** for security reasons, but Team Owners can change this setting to **Allowed** at any time. Only Team Owners can change this setting and changes are recorded in the team audit log.
    
    ## Learn more
    
    Learn more in our docs on [Transferring a project](https://docs.netlify.com/manage/accounts-and-billing/team-management/team-owned-sites/).
    
    [Permalink to Block project transfers out of your team Permalink](/changelog/2026-05-08-block-project-transfers/)
    
-   [
    
    ## Security Update: Multiple vulnerabilities in Next.js and React
    
    ](/changelog/2026-05-08-react-nextjs-security-vulnerabilities/)
    
    May 8, 2026
    
    -   [security](/changelog/tag/security/)
    -   [next.js](/changelog/tag/next-js/)
    
    The Next.js and React teams have disclosed [twelve security vulnerabilities](https://github.com/vercel/next.js/security): one in React Server Components and eleven in Next.js, all patched on May 6, 2026, plus a follow-up advisory on May 7. The issues span middleware/proxy bypass, cross-site scripting (XSS), server-side request forgery (SSRF), cache poisoning, and denial of service (DoS). No detailed proof-of-concept information has been published. Here’s what Netlify customers need to know.
    
    ## Summary
    
    If you run Next.js on Netlify, **we strongly recommend upgrading `next` to 15.5.18 or 16.2.6** and redeploying. This also brings in the patched React Server Components dependency. Projects using Pages Router with i18n and Next.js Middleware / Proxy also need [OpenNext Netlify Next.js adapter v5.15.11](https://github.com/opennextjs/opennextjs-netlify/releases/tag/v5.15.11). If you use `react-server-dom-*` outside of Next.js, upgrade to 19.0.6 / 19.1.7 / 19.2.6 matching your React minor. See [What should I do?](#what-should-i-do) for full steps.
    
    Netlify’s platform is **not** vulnerable to several of these CVEs. Image Optimization, WebSocket SSRF, RSC cache poisoning, and the cache-poisoned-redirect bypass do not affect Netlify projects. See [Impact on Netlify](#impact-on-netlify) for the per-CVE verdict.
    
    ## Vulnerabilities
    
    ### React (`react-server-dom-*`)
    
    This affects `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`. The Next.js advisory [GHSA-8h8q-6873-q5fj](https://github.com/vercel/next.js/security/advisories/GHSA-8h8q-6873-q5fj) tracks the same issue downstream.
    
    Vulnerability
    
    Severity
    
    Affected versions
    
    Fixed in
    
    [GHSA-rv78-f8rc-xrxh](https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh) — DoS in Server Components ([CVE-2026-23870](https://www.cve.org/CVERecord?id=CVE-2026-23870))
    
    High
    
    19.0.0–19.0.5, 19.1.0–19.1.6, 19.2.0–19.2.5
    
    19.0.6, 19.1.7, 19.2.6
    
    ### Next.js
    
    All Next.js issues are patched in **15.5.18** and **16.2.6**. Earlier minors of 15.x and 16.x will not be patched; affected projects must upgrade to a patched minor.
    
    Vulnerability
    
    Severity
    
    Affected versions
    
    [GHSA-8h8q-6873-q5fj](https://github.com/vercel/next.js/security/advisories/GHSA-8h8q-6873-q5fj) — DoS with Server Components
    
    High
    
    ≥13.0.0
    
    [GHSA-267c-6grr-h53f](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f) — Middleware / Proxy bypass in App Router via segment-prefetch routes
    
    High
    
    ≥15.2.0
    
    [GHSA-26hh-7cqf-hhc6](https://github.com/vercel/next.js/security/advisories/GHSA-26hh-7cqf-hhc6) — Follow-up to [GHSA-267c-6grr-h53f](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f): incomplete fix for `middleware.ts` with Turbopack
    
    High
    
    ≥15.2.0
    
    [GHSA-mg66-mrh9-m8jx](https://github.com/vercel/next.js/security/advisories/GHSA-mg66-mrh9-m8jx) — DoS via connection exhaustion in apps using Cache Components
    
    High
    
    ≥15.0.0 (apps using Cache Components)
    
    [GHSA-492v-c6pp-mqqv](https://github.com/vercel/next.js/security/advisories/GHSA-492v-c6pp-mqqv) — Middleware / Proxy bypass through dynamic route parameter injection
    
    High
    
    ≥15.4.0
    
    [GHSA-c4j6-fc7j-m34r](https://github.com/vercel/next.js/security/advisories/GHSA-c4j6-fc7j-m34r) — SSRF in applications using WebSocket upgrades
    
    High
    
    ≥13.4.13
    
    [GHSA-36qx-fr4f-26g5](https://github.com/vercel/next.js/security/advisories/GHSA-36qx-fr4f-26g5) — Middleware / Proxy bypass in Pages Router applications using i18n
    
    High
    
    ≥12.2.0
    
    [GHSA-ffhc-5mcf-pf4q](https://github.com/vercel/next.js/security/advisories/GHSA-ffhc-5mcf-pf4q) — XSS in App Router applications using CSP nonces
    
    Medium
    
    ≥13.4.0
    
    [GHSA-gx5p-jg67-6x7h](https://github.com/vercel/next.js/security/advisories/GHSA-gx5p-jg67-6x7h) — XSS in `beforeInteractive` scripts with untrusted input
    
    Medium
    
    ≥13.0.0
    
    [GHSA-h64f-5h5j-jqjh](https://github.com/vercel/next.js/security/advisories/GHSA-h64f-5h5j-jqjh) — DoS in the Image Optimization API
    
    Medium
    
    ≥10.0.0
    
    [GHSA-wfc6-r584-vfw7](https://github.com/vercel/next.js/security/advisories/GHSA-wfc6-r584-vfw7) — Cache poisoning in React Server Component responses
    
    Medium
    
    ≥14.2.0
    
    [GHSA-vfv6-92ff-j949](https://github.com/vercel/next.js/security/advisories/GHSA-vfv6-92ff-j949) — Cache poisoning via collisions in React Server Component cache-busting
    
    Low
    
    ≥13.4.6
    
    [GHSA-3g8h-86w9-wvmq](https://github.com/vercel/next.js/security/advisories/GHSA-3g8h-86w9-wvmq) — Middleware / Proxy redirects can be cache-poisoned
    
    Low
    
    ≥12.2.0
    
    ## Impact on Netlify
    
    ### Denial of service
    
    [GHSA-8h8q-6873-q5fj](https://github.com/vercel/next.js/security/advisories/GHSA-8h8q-6873-q5fj) and [GHSA-mg66-mrh9-m8jx](https://github.com/vercel/next.js/security/advisories/GHSA-mg66-mrh9-m8jx) are server-side denial-of-service (DoS) vulnerabilities. On Netlify, these have **minimal impact**: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your function costs. Note that Cache Components ([GHSA-mg66-mrh9-m8jx](https://github.com/vercel/next.js/security/advisories/GHSA-mg66-mrh9-m8jx)) is an opt-in Next.js feature that is not enabled by default. Upgrading Next.js resolves both.
    
    [GHSA-h64f-5h5j-jqjh](https://github.com/vercel/next.js/security/advisories/GHSA-h64f-5h5j-jqjh) affects the Next.js Image Optimization API. Netlify projects are **not affected**: this Next.js code path is not used on Netlify — image optimization is handled by [Netlify Image CDN](https://docs.netlify.com/build/image-cdn/overview/), a separate service that runs outside your project’s functions with its own protections against this class of issue.
    
    ### Middleware / proxy bypass
    
    These four CVEs affect Next.js middleware and proxy routing. Because Netlify runs Next.js middleware via our own edge function adapter, the impact varies per CVE:
    
    -   [GHSA-3g8h-86w9-wvmq](https://github.com/vercel/next.js/security/advisories/GHSA-3g8h-86w9-wvmq) (cache-poisoned redirects): Netlify projects are **not affected**. Our OpenNext Netlify Next.js adapter already varies cached responses on the `x-nextjs-data` header.
    -   [GHSA-492v-c6pp-mqqv](https://github.com/vercel/next.js/security/advisories/GHSA-492v-c6pp-mqqv) (dynamic route parameter injection): Netlify projects are **affected**, and the upstream Next.js fix applies. Upgrading Next.js resolves the issue.
    -   [GHSA-36qx-fr4f-26g5](https://github.com/vercel/next.js/security/advisories/GHSA-36qx-fr4f-26g5) (Pages Router i18n bypass): Netlify projects using Pages Router with i18n and Next.js Middleware / Proxy are **affected**. The upstream Next.js patch alone does not resolve this on Netlify; a Netlify-specific fix shipped in [OpenNext Netlify Next.js adapter v5.15.11](https://github.com/opennextjs/opennextjs-netlify/releases/tag/v5.15.11). See [how to upgrade](#what-should-i-do) below.
    -   [GHSA-267c-6grr-h53f](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f) (App Router segment-prefetch bypass) and [GHSA-26hh-7cqf-hhc6](https://github.com/vercel/next.js/security/advisories/GHSA-26hh-7cqf-hhc6) (follow-up): Netlify projects are **affected**, and the upstream Next.js fix applies. Upgrading Next.js resolves both.
    
    ### Cross-site scripting
    
    [GHSA-ffhc-5mcf-pf4q](https://github.com/vercel/next.js/security/advisories/GHSA-ffhc-5mcf-pf4q) and [GHSA-gx5p-jg67-6x7h](https://github.com/vercel/next.js/security/advisories/GHSA-gx5p-jg67-6x7h) are client-side XSS vulnerabilities. Regardless of hosting provider, all apps using CSP nonces in App Router or passing untrusted input to `beforeInteractive` scripts may be **vulnerable**. Upgrade Next.js to remediate.
    
    ### Server-side request forgery
    
    [GHSA-c4j6-fc7j-m34r](https://github.com/vercel/next.js/security/advisories/GHSA-c4j6-fc7j-m34r) affects applications using WebSocket upgrades. Netlify projects are **not affected**: Netlify Functions and Edge Functions do not support WebSocket upgrades, so this Next.js code path cannot be exercised on Netlify.
    
    ### Cache poisoning
    
    [GHSA-wfc6-r584-vfw7](https://github.com/vercel/next.js/security/advisories/GHSA-wfc6-r584-vfw7) and [GHSA-vfv6-92ff-j949](https://github.com/vercel/next.js/security/advisories/GHSA-vfv6-92ff-j949) affect React Server Component response caching. Netlify projects are **not affected**: Netlify’s CDN does not rely on the `_rsc` cache-busting query parameter (so collisions in it cannot poison cache entries), and it honors `Vary` on RSC-related request headers.
    
    ## What should I do?
    
    We strongly recommend upgrading as soon as possible to patched releases:
    
    -   **Next.js projects:** upgrade `next` to 15.5.18 or 16.2.6. This bundles the patched React Server Components dependency, so a separate `react-server-dom-*` upgrade is not needed.
    -   **Direct `react-server-dom-*` users** (React Router RSC, Vite RSC plugin, custom RSC setups): upgrade `react-server-dom-webpack`, `react-server-dom-parcel`, or `react-server-dom-turbopack` to 19.0.6, 19.1.7, or 19.2.6 — matching your React minor.
    
    For Next.js 13.x and 14.x users: patches are not planned for these versions. Consider upgrading to Next.js 15.x or 16.x.
    
    For projects using Pages Router with i18n and Next.js Middleware / Proxy ([GHSA-36qx-fr4f-26g5](https://github.com/vercel/next.js/security/advisories/GHSA-36qx-fr4f-26g5)), the upstream Next.js fix does not fully apply on Netlify. The fix ships in [OpenNext Netlify Next.js adapter v5.15.11](https://github.com/opennextjs/opennextjs-netlify/releases/tag/v5.15.11):
    
    -   Auto-installed adapter (default): redeploy.
    -   Manually installed adapter: upgrade `@netlify/plugin-nextjs` to v5.15.11 and redeploy. We recommend [not pinning the adapter version](https://docs.netlify.com/build/frameworks/framework-setup-guides/nextjs/overview/#how-netlify-runs-your-nextjs-app) so future fixes ship automatically.
    
    Note that any publicly available deploy previews and branch deploys may remain vulnerable until they are [automatically deleted](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#automatic-deploy-deletion). Consider [deleting these deploys manually](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#manual-deploy-deletion-through-the-netlify-ui).
    
    ## Resources
    
    -   [React security advisory (GHSA-rv78-f8rc-xrxh)](https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh)
    -   [CVE-2026-23870](https://www.cve.org/CVERecord?id=CVE-2026-23870)
    -   [Next.js security advisories](https://github.com/vercel/next.js/security)
    
    [Permalink to Security Update: Multiple vulnerabilities in Next.js and React Permalink](/changelog/2026-05-08-react-nextjs-security-vulnerabilities/)
    
-   [
    
    ## Security Update: DoS vulnerability in Next.js and React Server Components
    
    ](/changelog/2026-04-08-react-nextjs-dos-vulnerability/)
    
    April 8, 2026
    
    -   [security](/changelog/tag/security/)
    -   [next.js](/changelog/tag/next-js/)
    
    A denial-of-service (DoS) vulnerability ([CVE-2026-23869](https://www.cve.org/CVERecord?id=CVE-2026-23869), CVSS 7.5) has been disclosed affecting React Server Components (RSCs), a feature used by Next.js and other React metaframeworks. A malicious payload can cause excessive CPU consumption. Here’s what Netlify customers need to know.
    
    ## Impact on Netlify
    
    Nominally, this is a server-side DoS vulnerability. However, **on Netlify this has minimal impact**: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your function costs.
    
    ## Affected frameworks
    
    All RSC frameworks are affected:
    
    -   **Next.js** (see version table below)
    -   React Router 7 (if using RSC preview)
    -   Waku
    -   `@parcel/rsc`
    -   `@vitejs/plugin-rsc`
    
    Astro, Gatsby, and Remix are not affected.
    
    ### React affected versions
    
    See the [React advisory](https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg) for full details.
    
    Affected versions
    
    Fixed in
    
    19.0.0–19.0.4
    
    19.0.5
    
    19.1.0–19.1.5
    
    19.1.6
    
    19.2.0–19.2.4
    
    19.2.5
    
    ### Next.js affected versions
    
    See the [Next.js advisory](https://github.com/vercel/next.js/security/advisories/GHSA-q4gf-8mx6-v5v3) for full details.
    
    Affected versions
    
    Fixed in
    
    13.3.0+
    
    EOL - no fix
    
    14.x
    
    EOL - no fix
    
    15.0.0–15.5.14
    
    15.5.15
    
    16.0.0–16.2.2
    
    16.2.3
    
    ## What should I do?
    
    If any of your projects are using an affected version, we recommend upgrading as soon as possible to a patched release.
    
    For Next.js 13.x and 14.x users: patches are not planned for these versions. Consider upgrading to Next.js 15.x or 16.x.
    
    Note that any publicly available deploy previews and branch deploys may remain vulnerable until they are [automatically deleted](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#automatic-deploy-deletion). Consider [deleting these deploys manually](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#manual-deploy-deletion-through-the-netlify-ui).
    
    ## Resources
    
    -   [React CVE-2026-23869](https://www.cve.org/CVERecord?id=CVE-2026-23869)
    -   [React security advisory](https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg)
    -   [Next.js security advisory](https://github.com/vercel/next.js/security/advisories/GHSA-q4gf-8mx6-v5v3)
    
    [Permalink to Security Update: DoS vulnerability in Next.js and React Server Components Permalink](/changelog/2026-04-08-react-nextjs-dos-vulnerability/)
    
-   [
    
    ## Automatic PHP bot scan blocking now live on all plans
    
    ](/changelog/2026-02-27-php-scan-blocking/)
    
    February 27, 2026
    
    -   [security](/changelog/tag/security/)
    
    Netlify now automatically blocks bot scans targeting PHP paths across all plans — no configuration required.
    
    Previously, these bots generated noise in [Observability](https://docs.netlify.com/manage/monitoring/observability/overview) logs and metrics. They showed up without a `User-Agent` header. Netlify now blocks them at the edge.
    
    Since rolling out edge-level blocking on December 28, 2025, Netlify has blocked 2.9 billion of these requests.
    
    [Permalink to Automatic PHP bot scan blocking now live on all plans Permalink](/changelog/2026-02-27-php-scan-blocking/)
    
-   [
    
    ## Security Update: DoS vulnerability in Next.js and React Server Components
    
    ](/changelog/2026-01-26-react-nextjs-dos-vulnerability/)
    
    January 26, 2026
    
    -   [security](/changelog/tag/security/)
    -   [next.js](/changelog/tag/next-js/)
    
    A denial-of-service (DoS) vulnerability ([CVE-2026-23864](https://www.cve.org/CVERecord?id=CVE-2026-23864), CVSS 7.5) has been disclosed affecting React Server Components (RSCs), a feature used by Next.js and other React metaframeworks. A malicious payload can cause memory exhaustion or excessive CPU consumption. Next.js has also disclosed two unrelated medium-severity CVEs ([CVE-2025-59471](https://www.cve.org/CVERecord?id=CVE-2025-59471), [CVE-2025-59472](https://www.cve.org/CVERecord?id=CVE-2025-59472)) patched in the same releases. Here’s what Netlify customers need to know.
    
    ## Impact on Netlify
    
    Nominally, this is a server-side DoS vulnerability. However, **on Netlify this has minimal impact**: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your function costs.
    
    ## Affected frameworks
    
    All RSC frameworks are affected:
    
    -   **Next.js** (see version table below)
    -   React Router 7 (if using RSC preview)
    -   Waku
    -   `@parcel/rsc`
    -   `@vitejs/plugin-rsc`
    
    Astro, Gatsby, and Remix are not affected.
    
    ### React affected versions
    
    See the [React blog post](https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components) for full details.
    
    Affected versions
    
    Fixed in
    
    19.0.0–19.0.3
    
    19.0.4
    
    19.1.0–19.1.4
    
    19.1.5
    
    19.2.0–19.2.3
    
    19.2.4
    
    ### Next.js affected versions
    
    See the [Next.js advisory](https://github.com/vercel/next.js/security/advisories/GHSA-h25m-26qc-wcjf) for full details.
    
    Affected versions
    
    Fixed in
    
    13.3.0+
    
    EOL - no fix
    
    14.x
    
    EOL - no fix
    
    15.0.0–15.0.7
    
    15.0.8
    
    15.1.0–15.1.10
    
    15.1.11
    
    15.2.0–15.2.8
    
    15.2.9
    
    15.3.0–15.3.8
    
    15.3.9
    
    15.4.0–15.4.10
    
    15.4.11
    
    15.5.0–15.5.9
    
    15.5.10
    
    15.x canaries
    
    15.6.0-canary.61
    
    16.0.0–16.0.10
    
    16.0.11
    
    16.1.0–16.1.4
    
    16.1.5
    
    16.x canaries
    
    16.2.0-canary.9
    
    ## What should I do?
    
    If any of your projects are using an affected version, we recommend upgrading as soon as possible to a patched release.
    
    For Next.js 13.x and 14.x users: patches are not planned for these versions. Consider upgrading to Next.js 15.x or 16.x.
    
    Note that any publicly available deploy previews and branch deploys may remain vulnerable until they are [automatically deleted](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#automatic-deploy-deletion). Consider [deleting these deploys manually](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#manual-deploy-deletion-through-the-netlify-ui).
    
    ## Resources
    
    -   [React CVE-2026-23864](https://www.cve.org/CVERecord?id=CVE-2026-23864)
    -   [React blog post](https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components)
    -   [Next.js security advisory](https://github.com/vercel/next.js/security/advisories/GHSA-h25m-26qc-wcjf)
    
    [Permalink to Security Update: DoS vulnerability in Next.js and React Server Components Permalink](/changelog/2026-01-26-react-nextjs-dos-vulnerability/)
    
-   [
    
    ## Security Update: Multiple vulnerabilities in React Router and Remix
    
    ](/changelog/2026-01-15-react-router-remix-security-vulnerabilities/)
    
    January 19, 2026
    
    -   [security](/changelog/tag/security/)
    -   [remix](/changelog/tag/remix/)
    
    The React Router team has disclosed six security vulnerabilities affecting React Router and Remix. Here’s what Netlify customers need to know.
    
    ## Vulnerabilities
    
    Vulnerability
    
    Remix versions
    
    React Router versions & modes
    
    [CVE-2025-61686](https://github.com/remix-run/react-router/security/advisories/GHSA-9583-h5hc-x8cw) - Path traversal
    
    ≤2.17.1
    
    7.0.0–7.9.3  
    All modes
    
    [CVE-2025-68470](https://github.com/remix-run/react-router/security/advisories/GHSA-9jcx-v3wj-wh4m) - Open redirect
    
    \-
    
    6.0.0–6.30.1, 7.0.0–7.9.5  
    All modes
    
    [CVE-2026-22030](https://github.com/remix-run/react-router/security/advisories/GHSA-h5cw-625j-3rxh) - CSRF
    
    ≤2.17.2
    
    7.0.0–7.11.0  
    Framework only
    
    [CVE-2025-59057](https://github.com/remix-run/react-router/security/advisories/GHSA-3cgp-3xvw-98x8) - Meta XSS
    
    1.15.0–2.17.0
    
    7.0.0–7.8.2  
    Framework only
    
    [CVE-2026-22029](https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx) - Redirect XSS
    
    ≤2.17.3
    
    6.0.0–6.30.2, 7.0.0–7.11.0  
    Framework, Data
    
    [CVE-2026-21884](https://github.com/remix-run/react-router/security/advisories/GHSA-8v8x-cx79-35w7) - ScrollRestoration XSS
    
    ≤2.17.2
    
    7.0.0–7.11.0  
    Framework only
    
    ## Impact on Netlify
    
    ### CVE-2025-61686 (path traversal)
    
    This vulnerability affects `@react-router/node`, `@remix-run/node`, and `@remix-run/deno`. These packages are not used on Netlify, therefore **Netlify projects are not affected**.
    
    ### CVE-2025-68470 (open redirect)
    
    Apps with unsafe uses of React Router navigation APIs may be hijacked to redirect to arbitrary origins.
    
    **Regardless of hosting provider, all apps constructing paths from untrusted user input may be vulnerable.**
    
    ### CVE-2026-22030 (CSRF)
    
    Actions and experimental RSC Server Functions can be triggered by cross-origin form submissions, allowing an attacker to execute actions on behalf of authenticated users.
    
    **Regardless of hosting provider, all apps may be vulnerable.**
    
    ### CVE-2025-59057, CVE-2026-22029, and CVE-2026-21884 (XSS)
    
    These are cross-site scripting (XSS) vulnerabilities. For example, in CVE-2026-22029 actions and experimental RSC Server Functions performing a redirect to a path constructed from untrusted user input may be hijacked to execute arbitrary JavaScript in the browser.
    
    **Regardless of hosting provider, all apps passing untrusted data into certain APIs may be vulnerable.** (The Remix team has left this intentionally vague.)
    
    ## What should I do?
    
    If any of your projects are using any affected version listed above, we strongly recommend upgrading as soon as possible to patched releases:
    
    -   `react-router` 7.12.0 or later (for React Router 7.x)
    -   `react-router` 6.30.2 or later (for React Router 6.x)
    -   `@remix-run/react` 2.17.4 or later
    -   `@remix-run/server-runtime` 2.17.4 or later
    
    Note that any publicly available deploy previews and branch deploys may remain vulnerable until they are [automatically deleted](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#automatic-deploy-deletion). Consider [deleting these deploys manually](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#manual-deploy-deletion-through-the-netlify-ui).
    
    [Permalink to Security Update: Multiple vulnerabilities in React Router and Remix Permalink](/changelog/2026-01-15-react-router-remix-security-vulnerabilities/)
    

[Next page](/changelog/tag/security/page/2)