---
title: "Next.js & React DoS vulnerability: what you need to know"
description: "A DoS vulnerability affecting React Server Components has been disclosed. This has minimal impact on Netlify, but affected projects should upgrade."
source: "https://www.netlify.com/changelog/2026-01-26-react-nextjs-dos-vulnerability/"
last_updated: "2026-07-15T03:55:57.000Z"
---
A denial-of-service (DoS) vulnerability ([CVE-2026-23864](https://www.cve.org/CVERecord?id=CVE-2026-23864), CVSS 7.5) has been disclosed affecting React Server Components (RSCs), a feature used by Next.js and other React metaframeworks. A malicious payload can cause memory exhaustion or excessive CPU consumption. Next.js has also disclosed two unrelated medium-severity CVEs ([CVE-2025-59471](https://www.cve.org/CVERecord?id=CVE-2025-59471), [CVE-2025-59472](https://www.cve.org/CVERecord?id=CVE-2025-59472)) patched in the same releases. Here’s what Netlify customers need to know.

## Impact on Netlify

Nominally, this is a server-side DoS vulnerability. However, **on Netlify this has minimal impact**: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your function costs.

## Affected frameworks

All RSC frameworks are affected:

-   **Next.js** (see version table below)
-   React Router 7 (if using RSC preview)
-   Waku
-   `@parcel/rsc`
-   `@vitejs/plugin-rsc`

Astro, Gatsby, and Remix are not affected.

### React affected versions

See the [React blog post](https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components) for full details.

Affected versions

Fixed in

19.0.0–19.0.3

19.0.4

19.1.0–19.1.4

19.1.5

19.2.0–19.2.3

19.2.4

### Next.js affected versions

See the [Next.js advisory](https://github.com/vercel/next.js/security/advisories/GHSA-h25m-26qc-wcjf) for full details.

Affected versions

Fixed in

13.3.0+

EOL - no fix

14.x

EOL - no fix

15.0.0–15.0.7

15.0.8

15.1.0–15.1.10

15.1.11

15.2.0–15.2.8

15.2.9

15.3.0–15.3.8

15.3.9

15.4.0–15.4.10

15.4.11

15.5.0–15.5.9

15.5.10

15.x canaries

15.6.0-canary.61

16.0.0–16.0.10

16.0.11

16.1.0–16.1.4

16.1.5

16.x canaries

16.2.0-canary.9

## What should I do?

If any of your projects are using an affected version, we recommend upgrading as soon as possible to a patched release.

For Next.js 13.x and 14.x users: patches are not planned for these versions. Consider upgrading to Next.js 15.x or 16.x.

Note that any publicly available deploy previews and branch deploys may remain vulnerable until they are [automatically deleted](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#automatic-deploy-deletion). Consider [deleting these deploys manually](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#manual-deploy-deletion-through-the-netlify-ui).

## Resources

-   [React CVE-2026-23864](https://www.cve.org/CVERecord?id=CVE-2026-23864)
-   [React blog post](https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components)
-   [Next.js security advisory](https://github.com/vercel/next.js/security/advisories/GHSA-h25m-26qc-wcjf)