Next.js Security Alert: Critical React Server Components Vulnerability Forces Major Version Update

A critical security vulnerability in React Server Components has triggered an urgent, mandatory update for all Next.js applications. The flaw, tracked as GHSA-h25m-26qc-wcjf, affects core React packages and cascades to major versions of the popular Next.js framework, including versions 13.x, 14.x, 15.x, and 16.x that utilize the App Router. This is not a routine patch; it is a security-driven mandate requiring projects to leap from older versions like 14.2.35 directly to the latest secure release, 15.5.10.

The vulnerability originates in specific React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x. Because Next.js is built on React, this upstream flaw directly compromises the security posture of countless web applications. The automated dependency management system Renovate is flagging this as a high-priority update, indicating a significant change in package age and requiring high confidence to merge. The update path is substantial, jumping multiple minor and major versions, which signals the severity of the underlying issue that cannot be resolved with a simple patch.

This security alert places immediate pressure on development and security teams across the ecosystem. Any organization running a Next.js application with the App Router must treat this as a critical incident. Failure to apply the update leaves applications exposed to an active security threat. The broad version range affected—spanning multiple years of Next.js releases—means the impact is widespread, forcing a coordinated and rapid response from the entire React and Next.js community to mitigate potential exploitation.