Next.js Patches 12 Vulnerabilities, 13.x and 14.x Users Left Behind
A coordinated security disclosure on May 6 patched 12 vulnerabilities across Next.js, including middleware bypass, XSS, and SSRF. Patches were NOT backported to 13.x or 14.x. If you haven't upgraded to 15.x or 16.x, now is the time.
On May 6–8, 2026, Vercel and the React team disclosed and patched 12 vulnerabilities in Next.js and React Server Components. The fixes are in Next.js 15.5.18 and 16.2.6, plus RSC 19.0.6 / 19.1.7 / 19.2.6. If you're on Next.js 13.x or 14.x, there is no patch.
What was affected
| Component | Vulnerability Types |
|---|---|
| Next.js middleware/proxy | Bypass, SSRF |
| React Server Components | XSS, cache poisoning |
| Next.js image optimization | DoS |
| Next.js routing | Open redirect |
Several vulnerabilities are rated High severity. The middleware bypass and SSRF vectors are particularly dangerous for multi-tenant applications.
Why no backports
Vercel made the strategic call not to backport patches to Next.js 13.x or 14.x. The reasoning: 15.x introduced architectural changes (React 19, new caching model) that make backporting the fixes non-trivial. The practical consequence: teams on 13.x or 14.x must upgrade to a supported version to get the fixes.
Upgrade paths
| Current Version | Upgrade Target | Breaking Changes |
|---|---|---|
| 13.x | 15.5.18 | Yes, React 19, caching, Image component |
| 14.x | 15.5.18 | Moderate, mostly caching behavior |
| 15.x (pre-patch) | 15.5.18 | None, patch bump |
| 16.x (pre-patch) | 16.2.6 | None, patch bump |
Immediate actions
- Check your version:
npx next --version - If on 13.x or 14.x: schedule the 15.x upgrade. The security exposure is real and unpatched.
- If on 15.x or 16.x: run
npm update nextto get the patch. - Audit RSC usage: if you use Server Components directly (outside Next.js), update to the patched RSC versions.
The bottom line
This isn't a drill. If your production app runs on Next.js 13.x or 14.x, it's exposed to unpatched vulnerabilities rated High. The upgrade to 15.x isn't zero-cost, but the alternative, staying vulnerable, is worse.