CVE-2026-44580 Overview
CVE-2026-44580 is a cross-site scripting (XSS) vulnerability in Next.js, the React framework for full-stack web applications maintained by Vercel. The flaw affects versions from 13.0.0 up to but not including 15.5.16 and 16.2.5. Applications that combine beforeInteractive scripts with untrusted content fail to safely escape serialized script content before embedding it into the document. Attacker-controlled input can break out of the intended script context and execute arbitrary JavaScript in a visitor's browser. The issue is tracked under [CWE-79] (Improper Neutralization of Input During Web Page Generation) and is fixed in Next.js 15.5.16 and 16.2.5.
Critical Impact
Attackers can inject arbitrary JavaScript that executes in the context of a visitor's browser session, enabling session theft, credential harvesting, and unauthorized actions on behalf of the user.
Affected Products
- Next.js versions 13.0.0 through 15.5.15
- Next.js 16.x versions prior to 16.2.5
- Applications using beforeInteractive script strategy with untrusted input
Discovery Timeline
- 2026-05-13 - CVE-2026-44580 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44580
Vulnerability Analysis
The vulnerability resides in the rendering path that handles Next.js beforeInteractive scripts. The beforeInteractive strategy is used to load scripts that must run before the page becomes interactive, such as polyfills or bot detection libraries. Next.js serializes the script's content and embeds it directly into the server-rendered HTML document.
In affected versions, the framework did not properly escape this serialized content before placing it inside a <script> element. When developers pass untrusted input as script content or arguments, attacker-supplied data can terminate the script context using sequences such as </script> or other HTML-significant characters. Once the context is broken, the attacker can introduce additional HTML and JavaScript that the browser executes.
Root Cause
The root cause is improper output encoding when serializing inline script content for the beforeInteractive strategy. The framework treated the embedded content as safe by default, omitting the encoding required to neutralize sequences that close or escape the surrounding <script> tag. This pattern is a textbook instance of [CWE-79], where input is reflected into a sensitive context without context-appropriate sanitization.
Attack Vector
Exploitation requires user interaction, typically a visit to a page where the application embeds attacker-controlled data into a beforeInteractive script. The attacker delivers a crafted URL or payload, often through a phishing message, that causes the vulnerable page to serialize hostile input into the document. When the victim loads the page, the injected script executes with full access to the page's origin, including cookies accessible to JavaScript and the DOM.
No verified public proof-of-concept code is available. The vulnerability mechanism is documented in the GitHub Security Advisory GHSA-gx5p-jg67-6x7h.
Detection Methods for CVE-2026-44580
Indicators of Compromise
- Unexpected </script> sequences or HTML control characters in request parameters, route segments, or headers consumed by beforeInteractive scripts.
- Outbound requests from end-user browsers to unfamiliar domains immediately after rendering a Next.js page that contains inline scripts.
- Server logs showing requests with payloads containing encoded JavaScript such as javascript:, onerror=, or base64-encoded script fragments.
Detection Strategies
- Audit application source for <Script strategy="beforeInteractive"> usage and verify that no dangerouslySetInnerHTML or dynamic content derived from user input is passed to it.
- Deploy a Content Security Policy (CSP) in report-only mode and review violation reports for inline script execution that should not occur.
- Run static analysis against the codebase to flag flows where request parameters reach next/script component props.
Monitoring Recommendations
- Monitor web application firewall (WAF) logs for request parameters containing tag-breaking sequences targeting routes that render inline scripts.
- Track Next.js dependency versions across all production deployments and alert when versions fall below 15.5.16 or 16.2.5.
- Review browser error telemetry and CSP violation reports for spikes that correlate with new content or untrusted inputs.
How to Mitigate CVE-2026-44580
Immediate Actions Required
- Upgrade Next.js to version 15.5.16 or 16.2.5 across all environments that use the framework.
- Inventory all uses of the beforeInteractive script strategy and confirm none receive untrusted input.
- Rotate any session tokens or credentials that may have been exposed if exploitation is suspected on internet-facing applications.
Patch Information
Vercel released fixes in Next.js 15.5.16 and 16.2.5. The patches add proper escaping to serialized script content before it is embedded into the rendered document. Refer to the GitHub Security Advisory GHSA-gx5p-jg67-6x7h for the official advisory and patch references.
Workarounds
- Remove or refactor beforeInteractive script usages so no user-controllable data is serialized into the script body.
- Apply a strict Content Security Policy that disallows inline scripts without a nonce or hash, reducing the impact of script injection.
- Sanitize and validate any input that flows into server-rendered components, rejecting characters such as <, >, and / where they are not required.
# Upgrade Next.js to a fixed release
npm install next@15.5.16
# or for the 16.x branch
npm install next@16.2.5
# Verify installed version
npx next --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
