---
title: "Next.js & React DoS vulnerability: what you need to know"
description: "A DoS vulnerability affecting React Server Components has been disclosed. This has minimal impact on Netlify, but affected projects should upgrade."
source: "https://www.netlify.com/changelog/2026-04-08-react-nextjs-dos-vulnerability/"
last_updated: "2026-07-02T06:04:30.000Z"
---
A denial-of-service (DoS) vulnerability ([CVE-2026-23869](https://www.cve.org/CVERecord?id=CVE-2026-23869), CVSS 7.5) has been disclosed affecting React Server Components (RSCs), a feature used by Next.js and other React metaframeworks. A malicious payload can cause excessive CPU consumption. Here’s what Netlify customers need to know.

## Impact on Netlify

Nominally, this is a server-side DoS vulnerability. However, **on Netlify this has minimal impact**: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your function costs.

## Affected frameworks

All RSC frameworks are affected:

-   **Next.js** (see version table below)
-   React Router 7 (if using RSC preview)
-   Waku
-   `@parcel/rsc`
-   `@vitejs/plugin-rsc`

Astro, Gatsby, and Remix are not affected.

### React affected versions

See the [React advisory](https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg) for full details.

Affected versions

Fixed in

19.0.0–19.0.4

19.0.5

19.1.0–19.1.5

19.1.6

19.2.0–19.2.4

19.2.5

### Next.js affected versions

See the [Next.js advisory](https://github.com/vercel/next.js/security/advisories/GHSA-q4gf-8mx6-v5v3) for full details.

Affected versions

Fixed in

13.3.0+

EOL - no fix

14.x

EOL - no fix

15.0.0–15.5.14

15.5.15

16.0.0–16.2.2

16.2.3

## What should I do?

If any of your projects are using an affected version, we recommend upgrading as soon as possible to a patched release.

For Next.js 13.x and 14.x users: patches are not planned for these versions. Consider upgrading to Next.js 15.x or 16.x.

Note that any publicly available deploy previews and branch deploys may remain vulnerable until they are [automatically deleted](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#automatic-deploy-deletion). Consider [deleting these deploys manually](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#manual-deploy-deletion-through-the-netlify-ui).

## Resources

-   [React CVE-2026-23869](https://www.cve.org/CVERecord?id=CVE-2026-23869)
-   [React security advisory](https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg)
-   [Next.js security advisory](https://github.com/vercel/next.js/security/advisories/GHSA-q4gf-8mx6-v5v3)