Critical Denial of Service and Request Forgery Flaws Fixed
Vercel has released security updates for Next.js and React Server Components, addressing over a dozen vulnerabilities that could allow denial of service, middleware bypass, and server-side request forgery. The flaws affect Next.js versions 13.x through 16.x using the App Router, as well as React Server Components packages for version 19.x.
One high severity issue involves a denial of service vulnerability in React Server Components. A specially crafted HTTP request sent to any App Router Server Function endpoint can trigger excessive CPU usage during deserialization. The problem lies in the React Flight protocol’s deserialization logic, which does not properly enforce structural or type constraints on incoming payloads.
Middleware Bypass and Protection Recommendations
Three separate advisories address middleware bypass vulnerabilities in App Router applications. Specially crafted URLs using .rsc and segment prefetch formats can resolve to the same page without being matched by intended middleware rules. This allows protected content to be accessed without proper authorization checks. The patch ensures that App Router transport variants are included when generating middleware matchers, so protections apply consistently to all request types, including prefetch variants. Until an upgrade is possible, developers should enforce authorization directly in the route or page logic instead of relying solely on middleware.
A high severity server side request forgery flaw affects self hosted Node.js deployments through crafted WebSocket upgrade requests. An attacker can manipulate the server into proxying requests to arbitrary internal or external destinations, potentially exposing internal services or cloud metadata endpoints. Vercel hosted deployments are explicitly noted as unaffected.
Source: Cyber Security News
