惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

B
Blog
V
Vulnerabilities – Threatpost
Apple Machine Learning Research
Apple Machine Learning Research
V
V2EX
博客园 - 叶小钗
阮一峰的网络日志
阮一峰的网络日志
人人都是产品经理
人人都是产品经理
Latest news
Latest news
博客园 - 三生石上(FineUI控件)
美团技术团队
aimingoo的专栏
aimingoo的专栏
Google Online Security Blog
Google Online Security Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
T
Threatpost
Y
Y Combinator Blog
T
Tailwind CSS Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
A
Arctic Wolf
C
Cyber Attacks, Cyber Crime and Cyber Security
小众软件
小众软件
Recent Commits to openclaw:main
Recent Commits to openclaw:main
T
Tenable Blog
W
WeLiveSecurity
L
LINUX DO - 热门话题
D
Docker
Cyberwarzone
Cyberwarzone
量子位
A
About on SuperTechFans
The Last Watchdog
The Last Watchdog
雷峰网
雷峰网
C
CERT Recently Published Vulnerability Notes
P
Palo Alto Networks Blog
The Hacker News
The Hacker News
Blog — PlanetScale
Blog — PlanetScale
P
Proofpoint News Feed
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
F
Full Disclosure
The Cloudflare Blog
T
The Blog of Author Tim Ferriss
T
The Exploit Database - CXSecurity.com
Engineering at Meta
Engineering at Meta
O
OpenAI News
Hacker News - Newest:
Hacker News - Newest: "LLM"
Scott Helme
Scott Helme
IT之家
IT之家
S
Secure Thoughts
MongoDB | Blog
MongoDB | Blog
L
Lohrmann on Cybersecurity
博客园 - 司徒正美
Google DeepMind News
Google DeepMind News

Netlify Changelog

Gemini 3.5 Flash now available in Agent Runners 4 Nuxt CVEs: what Netlify users need to know Gemini 3.5 Flash now available in AI Gateway Agent Runners workflow improvements Block project transfers out of your team Gemini 3.1 Flash-Lite now available in AI Gateway OpenAI GPT-5.5 Instant now available in AI Gateway New `netlify logs` CLI command Deploy to Netlify with Stripe Projects Netlify Database is now generally available OpenAI GPT-5.5 and GPT-5.5 Pro in AI Gateway & Agent Runners Rename an agent run GPT Image 2 now available in AI Gateway New frontend-design skill for Agent Runners Claude Opus 4.7 now available in AI Gateway and Agent Runners Pricing updates for Credit-based plans New sorting and filter controls on the Members page Netlify Database GA coming soon, no new databases for now Deploy logs streaming is now faster Netlify CLI adds prompt-based creation and anonymous deploys Deploy from Codex with the Netlify Plugin Hydrogen with React Router 7 now supported on Netlify Monitor credit usage by day Invoices for Enterprise Available on the Billing Page AI app development on production infrastructure with Netlify Introducing Prompt Templates OpenAI GPT-5.4 Nano and GPT-5.4 Mini in AI Gateway Change your pricing plan Internal Builder Role & Project Access Controls See your available credits at a glance Astro 6 just works on Netlify Limit AI feature usage OpenAI GPT-5.4 and GPT-5.4 Pro in AI Gateway & Agent Runners Deploy Preview screenshots in agent runs Gemini 3.1 Flash-Lite Preview now available in AI Gateway GPT-5.3 Instant now available in AI Gateway Use Netlify Agent Runners from Linear Automatic PHP bot scan blocking now live on all plans Support for stale-while-revalidate in Cache API Gemini 3.1 Flash Image Preview now available in AI Gateway GPT-5.3-Codex now available in AI Gateway Gemini 3.1 Pro Preview now available in AI Gateway Claude Sonnet 4.6 now available in AI Gateway and Agent Runners Sync changes with Agent Runners without Git Claude Opus 4.6 now available in AI Gateway and Agent Runners Agent Runners improvements recap 6 new React Router & Remix CVEs: what you need to know Vulnerability in Node.js: what Netlify users need to know 5 SvelteKit security vulnerabilities: what Netlify users need to know GPT-5.2-Codex Now Available in AI Gateway and Agent Runners Play Games While Agent Runners Do the Work Prerender.io support updated as new extension Gemini 3 Flash Preview now available in AI Gateway GPT-image-1.5 now available in AI Gateway AI Gateway now Generally Available Observability release is here Prerender extension now generally available Action required: React/Next.js CVE-2025-55184 and CVE-2025-55183 GPT-5.2 and GPT-5.2-Pro now available in AI Gateway and Agent Runners GPT-5.1-Codex-Max now available in AI Gateway and Agent Runners Netlify’s response to the critical React security vulnerability Netlify Vite Plugin now supports AI Gateway locally Claude Opus 4.5 now available in AI Gateway Projects deployed using a zip file via API now support branch deploys Day one support for Angular v21 on Netlify Gemini 3 now available in AI Gateway and Agent Runners DNS record management simplified for teams in Netlify organizations Skew protection for CLI workflows Support for more domain TLDs GPT-5.1 model now available in AI Gateway React Router 7 apps can now be deployed to Edge Functions | Netlify Changelog Git SHA exposed for triggered deploys | Netlify Changelog Test scheduled functions in Netlify dashboard | Netlify Changelog Revert agent run in a task | Netlify Changelog Deletion improvements with Netlify Blobs | Netlify Changelog Preview Server restart for cross-functional collaborators | Netlify Changelog AI inference usage graphs | Netlify Changelog Buy credit packs on demand | Netlify Changelog React Router 7 middleware now supported | Netlify Changelog Skew protection now available | Netlify Changelog Next.js 16 is ready to deploy on Netlify | Netlify Changelog Enforce Git-based workflows for production deploys | Netlify Changelog Claude Haiku 4.5 is now available in the AI Gateway | Netlify Changelog GPT 5 Pro now available in the AI Gateway | Netlify Changelog Updates to credit-based Personal and Pro plans | Netlify Changelog New AI workflows: Agent Runners and AI Gateway (beta) | Netlify Changelog Netlify pricing update: Introducing credit-based plans | Netlify Changelog Security Update: Multiple vulnerabilities in Next.js | Netlify Changelog ChatGPT deep link for failed deploy analysis | Netlify Changelog Equinix IP address expiring for 4-year old sites | Netlify Changelog Nuxt 4 support + new @netlify/nuxt module for local dev | Netlify Changelog Smart Secret Scanning for AI-Generated Code | Netlify Netlify DB: Serverless PostgreSQL Database | Netlify One-click install Netlify MCP on Cursor | Netlify Changelog Netlify MCP Server: AI Agents Can Now Deploy Code Directly | Netlify Netlify Becomes Official Vite Deployment Partner + New Plugin | Netlify Angular 20 support | Netlify Changelog Netlify CLI 21.4.1 UI and workflow enhancements | Netlify Changelog Security Update: Next.js sites on Netlify not vulnerable to CVE-2025-32421 | Netlify Changelog Introducing the Netlify Cache API
Next.js & React security release (May 2026): what to know
2026-05-08 · via Netlify Changelog

The Next.js and React teams have disclosed twelve security vulnerabilities: one in React Server Components and eleven in Next.js, all patched on May 6, 2026, plus a follow-up advisory on May 7. The issues span middleware/proxy bypass, cross-site scripting (XSS), server-side request forgery (SSRF), cache poisoning, and denial of service (DoS). No detailed proof-of-concept information has been published. Here’s what Netlify customers need to know.

Summary

If you run Next.js on Netlify, we strongly recommend upgrading next to 15.5.18 or 16.2.6 and redeploying. This also brings in the patched React Server Components dependency. Projects using Pages Router with i18n and Next.js Middleware / Proxy also need OpenNext Netlify Next.js adapter v5.15.11. If you use react-server-dom-* outside of Next.js, upgrade to 19.0.6 / 19.1.7 / 19.2.6 matching your React minor. See What should I do? for full steps.

Netlify’s platform is not vulnerable to several of these CVEs. Image Optimization, WebSocket SSRF, RSC cache poisoning, and the cache-poisoned-redirect bypass do not affect Netlify projects. See Impact on Netlify for the per-CVE verdict.

Vulnerabilities

React (react-server-dom-*)

This affects react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. The Next.js advisory GHSA-8h8q-6873-q5fj tracks the same issue downstream.

VulnerabilitySeverityAffected versionsFixed in
GHSA-rv78-f8rc-xrxh — DoS in Server Components (CVE-2026-23870)High19.0.0–19.0.5, 19.1.0–19.1.6, 19.2.0–19.2.519.0.6, 19.1.7, 19.2.6

Next.js

All Next.js issues are patched in 15.5.18 and 16.2.6. Earlier minors of 15.x and 16.x will not be patched; affected projects must upgrade to a patched minor.

VulnerabilitySeverityAffected versions
GHSA-8h8q-6873-q5fj — DoS with Server ComponentsHigh≥13.0.0
GHSA-267c-6grr-h53f — Middleware / Proxy bypass in App Router via segment-prefetch routesHigh≥15.2.0
GHSA-26hh-7cqf-hhc6 — Follow-up to GHSA-267c-6grr-h53f: incomplete fix for middleware.ts with TurbopackHigh≥15.2.0
GHSA-mg66-mrh9-m8jx — DoS via connection exhaustion in apps using Cache ComponentsHigh≥15.0.0 (apps using Cache Components)
GHSA-492v-c6pp-mqqv — Middleware / Proxy bypass through dynamic route parameter injectionHigh≥15.4.0
GHSA-c4j6-fc7j-m34r — SSRF in applications using WebSocket upgradesHigh≥13.4.13
GHSA-36qx-fr4f-26g5 — Middleware / Proxy bypass in Pages Router applications using i18nHigh≥12.2.0
GHSA-ffhc-5mcf-pf4q — XSS in App Router applications using CSP noncesMedium≥13.4.0
GHSA-gx5p-jg67-6x7h — XSS in beforeInteractive scripts with untrusted inputMedium≥13.0.0
GHSA-h64f-5h5j-jqjh — DoS in the Image Optimization APIMedium≥10.0.0
GHSA-wfc6-r584-vfw7 — Cache poisoning in React Server Component responsesMedium≥14.2.0
GHSA-vfv6-92ff-j949 — Cache poisoning via collisions in React Server Component cache-bustingLow≥13.4.6
GHSA-3g8h-86w9-wvmq — Middleware / Proxy redirects can be cache-poisonedLow≥12.2.0

Impact on Netlify

Denial of service

GHSA-8h8q-6873-q5fj and GHSA-mg66-mrh9-m8jx are server-side denial-of-service (DoS) vulnerabilities. On Netlify, these have minimal impact: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your function costs. Note that Cache Components (GHSA-mg66-mrh9-m8jx) is an opt-in Next.js feature that is not enabled by default. Upgrading Next.js resolves both.

GHSA-h64f-5h5j-jqjh affects the Next.js Image Optimization API. Netlify projects are not affected: this Next.js code path is not used on Netlify — image optimization is handled by Netlify Image CDN, a separate service that runs outside your project’s functions with its own protections against this class of issue.

Middleware / proxy bypass

These four CVEs affect Next.js middleware and proxy routing. Because Netlify runs Next.js middleware via our own edge function adapter, the impact varies per CVE:

  • GHSA-3g8h-86w9-wvmq (cache-poisoned redirects): Netlify projects are not affected. Our OpenNext Netlify Next.js adapter already varies cached responses on the x-nextjs-data header.
  • GHSA-492v-c6pp-mqqv (dynamic route parameter injection): Netlify projects are affected, and the upstream Next.js fix applies. Upgrading Next.js resolves the issue.
  • GHSA-36qx-fr4f-26g5 (Pages Router i18n bypass): Netlify projects using Pages Router with i18n and Next.js Middleware / Proxy are affected. The upstream Next.js patch alone does not resolve this on Netlify; a Netlify-specific fix shipped in OpenNext Netlify Next.js adapter v5.15.11. See how to upgrade below.
  • GHSA-267c-6grr-h53f (App Router segment-prefetch bypass) and GHSA-26hh-7cqf-hhc6 (follow-up): Netlify projects are affected, and the upstream Next.js fix applies. Upgrading Next.js resolves both.

Cross-site scripting

GHSA-ffhc-5mcf-pf4q and GHSA-gx5p-jg67-6x7h are client-side XSS vulnerabilities. Regardless of hosting provider, all apps using CSP nonces in App Router or passing untrusted input to beforeInteractive scripts may be vulnerable. Upgrade Next.js to remediate.

Server-side request forgery

GHSA-c4j6-fc7j-m34r affects applications using WebSocket upgrades. Netlify projects are not affected: Netlify Functions and Edge Functions do not support WebSocket upgrades, so this Next.js code path cannot be exercised on Netlify.

Cache poisoning

GHSA-wfc6-r584-vfw7 and GHSA-vfv6-92ff-j949 affect React Server Component response caching. Netlify projects are not affected: Netlify’s CDN does not rely on the _rsc cache-busting query parameter (so collisions in it cannot poison cache entries), and it honors Vary on RSC-related request headers.

What should I do?

We strongly recommend upgrading as soon as possible to patched releases:

  • Next.js projects: upgrade next to 15.5.18 or 16.2.6. This bundles the patched React Server Components dependency, so a separate react-server-dom-* upgrade is not needed.
  • Direct react-server-dom-* users (React Router RSC, Vite RSC plugin, custom RSC setups): upgrade react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack to 19.0.6, 19.1.7, or 19.2.6 — matching your React minor.

For Next.js 13.x and 14.x users: patches are not planned for these versions. Consider upgrading to Next.js 15.x or 16.x.

For projects using Pages Router with i18n and Next.js Middleware / Proxy (GHSA-36qx-fr4f-26g5), the upstream Next.js fix does not fully apply on Netlify. The fix ships in OpenNext Netlify Next.js adapter v5.15.11:

  • Auto-installed adapter (default): redeploy.
  • Manually installed adapter: upgrade @netlify/plugin-nextjs to v5.15.11 and redeploy. We recommend not pinning the adapter version so future fixes ship automatically.

Note that any publicly available deploy previews and branch deploys may remain vulnerable until they are automatically deleted. Consider deleting these deploys manually.

Resources