Vercel

Vercel Patches High-Severity DoS Vulnerability in Next.js and React


Executive Summary

A high-severity Denial of Service (DoS) vulnerability (CVE-2026-23869, CVSS 7.5) has been discovered in React Server Components, affecting Next.js applications that use the App Router. A malicious HTTP request can cause excessive CPU usage, leading to service disruption. Vercel has automatically deployed new WAF rules to protect all hosted projects, but strongly advises all users to upgrade to a patched framework version immediately for complete protection.

Key Takeaways

* Vulnerability: A specially crafted HTTP request can trigger a DoS attack on applications using React Server Components.

* Affected Software: Next.js versions 13.x, 14.x, 15.x, and 16.x utilizing the App Router are vulnerable.

* Immediate Mitigation: Vercel has deployed protective WAF rules for all customers at no additional cost.

* Required Action: A software upgrade is mandatory. The WAF is a temporary shield, not a permanent solution.

* Patched Versions: Users must upgrade to patched versions, such as 15.5.15 for the 15.x series and 16.2.3 for the 16.x series.

Strategic Importance

This announcement showcases Vercel's proactive platform security by providing immediate, widespread mitigation, while reinforcing the shared responsibility model by requiring customers to update their own codebases to ensure full security.

Original article