Security Update: DoS vulnerability in Next.js and React Server Components
January 26, 2026
A denial-of-service (DoS) vulnerability (CVE-2026-23864, CVSS 7.5) has been disclosed affecting React Server Components (RSCs), a feature used by Next.js and other React metaframeworks. A malicious payload can cause memory exhaustion or excessive CPU consumption. Next.js has also disclosed two unrelated medium-severity CVEs (CVE-2025-59471, CVE-2025-59472) patched in the same releases. Here’s what Netlify customers need to know.
Impact on Netlify
Nominally, this is a server-side DoS vulnerability. However, on Netlify this has minimal impact: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your function costs.
Affected frameworks
All RSC frameworks are affected:
- Next.js (see version table below)
- React Router 7 (if using RSC preview)
- Waku
@parcel/rsc@vitejs/plugin-rsc
Astro, Gatsby, and Remix are not affected.
React affected versions
See the React blog post for full details.
| Affected versions | Fixed in |
|---|---|
| 19.0.0–19.0.3 | 19.0.4 |
| 19.1.0–19.1.4 | 19.1.5 |
| 19.2.0–19.2.3 | 19.2.4 |
Next.js affected versions
See the Next.js advisory for full details.
| Affected versions | Fixed in |
|---|---|
| 13.3.0+ | EOL - no fix |
| 14.x | EOL - no fix |
| 15.0.0–15.0.7 | 15.0.8 |
| 15.1.0–15.1.10 | 15.1.11 |
| 15.2.0–15.2.8 | 15.2.9 |
| 15.3.0–15.3.8 | 15.3.9 |
| 15.4.0–15.4.10 | 15.4.11 |
| 15.5.0–15.5.9 | 15.5.10 |
| 15.x canaries | 15.6.0-canary.61 |
| 16.0.0–16.0.10 | 16.0.11 |
| 16.1.0–16.1.4 | 16.1.5 |
| 16.x canaries | 16.2.0-canary.9 |
What should I do?
If any of your projects are using an affected version, we recommend upgrading as soon as possible to a patched release.
For Next.js 13.x and 14.x users: patches are not planned for these versions. Consider upgrading to Next.js 15.x or 16.x.
Note that any publicly available deploy previews and branch deploys may remain vulnerable until they are automatically deleted. Consider deleting these deploys manually.