Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up

Impact It was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. Refer to CVE-2026-44575 for further details. References - CVE CVE-2026-44575...

Next.js Vulnerable to Denial of Service with Server Components

A vulnerability affects certain React Server Components packages for versions 19.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23870. A specially crafted HTTP request can be sent to any...

CVE-2026-32887

Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using RpcServer.toWebHandler or HttpApp.toWebHandlerRuntime inside a Next.js App Router route handler, any Node.js AsyncLocalStorage-dependent...

CVE-2026-32887

The Connected document details a concurrency vulnerability in the Effect ecosystem where AsyncLocalStorage (ALS) context is not properly propagated across fibers in a web handler under concurrent load. Root cause: a scheduler drains multiple fiber continuations in a single drain cycle, causing AL...

CVE-2026-32887 Effect Bug: `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC

Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using RpcServer.toWebHandler or HttpApp.toWebHandlerRuntime inside a Next.js App Router route handler, any Node.js AsyncLocalStorage-dependent...

CVE-2026-32887

Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using RpcServer.toWebHandler or HttpApp.toWebHandlerRuntime inside a Next.js App Router route handler, any Node.js AsyncLocalStorage-dependent...

CVE-2026-32887 Effect Bug: `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC

Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using RpcServer.toWebHandler or HttpApp.toWebHandlerRuntime inside a Next.js App Router route handler, any Node.js AsyncLocalStorage-dependent...

Exploit for Deserialization of Untrusted Data in Facebook React

🚨 NextRce — CVE-2025-55182 Next.js / React Server Components...

Exploit for Deserialization of Untrusted Data in Facebook React

NextRce - Next.js RSC Exploit Tool CVE-2025-55182...

Exploit for CVE-2025-55182

CVE-2025-55182 POC for Next.js App-Router CVE-2025-55182 POC...

Malicious code in nextjs-app-router (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1be3a353ab6fd3d56d1698543312d483fa52ee3aa1fbc09c0d9efbf8c6b99e33 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2024-12010 Malicious code in nextjs-app-router (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1be3a353ab6fd3d56d1698543312d483fa52ee3aa1fbc09c0d9efbf8c6b99e33 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...