← Back to all briefs
Architecture55s read

Next.js Patches 12 Vulnerabilities, 13.x and 14.x Users Left Behind

A coordinated security disclosure on May 6 patched 12 vulnerabilities across Next.js, including middleware bypass, XSS, and SSRF. Patches were NOT backported to 13.x or 14.x. If you haven't upgraded to 15.x or 16.x, now is the time.

On May 6–8, 2026, Vercel and the React team disclosed and patched 12 vulnerabilities in Next.js and React Server Components. The fixes are in Next.js 15.5.18 and 16.2.6, plus RSC 19.0.6 / 19.1.7 / 19.2.6. If you're on Next.js 13.x or 14.x, there is no patch.

What was affected

Component Vulnerability Types
Next.js middleware/proxy Bypass, SSRF
React Server Components XSS, cache poisoning
Next.js image optimization DoS
Next.js routing Open redirect

Several vulnerabilities are rated High severity. The middleware bypass and SSRF vectors are particularly dangerous for multi-tenant applications.

Why no backports

Vercel made the strategic call not to backport patches to Next.js 13.x or 14.x. The reasoning: 15.x introduced architectural changes (React 19, new caching model) that make backporting the fixes non-trivial. The practical consequence: teams on 13.x or 14.x must upgrade to a supported version to get the fixes.

Upgrade paths

Current Version Upgrade Target Breaking Changes
13.x 15.5.18 Yes, React 19, caching, Image component
14.x 15.5.18 Moderate, mostly caching behavior
15.x (pre-patch) 15.5.18 None, patch bump
16.x (pre-patch) 16.2.6 None, patch bump

Immediate actions

  1. Check your version: npx next --version
  2. If on 13.x or 14.x: schedule the 15.x upgrade. The security exposure is real and unpatched.
  3. If on 15.x or 16.x: run npm update next to get the patch.
  4. Audit RSC usage: if you use Server Components directly (outside Next.js), update to the patched RSC versions.

The bottom line

This isn't a drill. If your production app runs on Next.js 13.x or 14.x, it's exposed to unpatched vulnerabilities rated High. The upgrade to 15.x isn't zero-cost, but the alternative, staying vulnerable, is worse.