AIKIDO-2026-10095

next is vulnerable to Denial of Service (DoS)

Denial of Service (DoS)CVE-2026-23864 Published Jan 27, 2026

High Risk

This Affects:

13.0.0 - 15.0.7

Fixed in 15.0.8

15.1.0 - 15.1.0

Fixed in 15.1.1

15.2.0 - 15.2.8

Fixed in 15.2.9

15.3.0 - 15.3.8

Fixed in 15.3.9

15.4.0 - 15.4.10

Fixed in 15.4.11

15.5.0 - 15.5.9

Fixed in 15.5.10

15.6.0-canary.1 - 15.6.0-canary.60

Fixed in 15.6.0-canary.61

16.0.0 - 16.0.10

Fixed in 16.0.11

16.1.0 - 16.1.4

Fixed in 16.1.5

16.2.0-canary.1 - 16.2.0-canary.8

Fixed in 16.2.0-canary.9

Are you affected? Scan for Free

TL;DR

Affected versions of the react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack packages and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router are vulnerable to multiple denial of service (DoS) issues. The previously applied DoS mitigations were incomplete, allowing specially crafted HTTP requests to Server Function endpoints to trigger server crashes, out-of-memory conditions, or excessive CPU usage, depending on the code path and application configuration. Applications that do not use React Server Components or server-side React functionality are not affected.

Who does this affect?

You are affected only if you are using a version within the vulnerable range and your application uses React Server Components. Applications that do not run React code on the server, or that do not use a framework, bundler, or bundler plugin supporting React Server Components, are not affected.

Background info

next is vulnerable to Denial of Service (DoS) in versions 16.2.0-canary.1 - 16.2.0-canary.8, 16.1.0 - 16.1.4, 16.0.0 - 16.0.10, 15.6.0-canary.1 - 15.6.0-canary.60, 15.5.0 - 15.5.9, 15.4.0 - 15.4.10, 15.3.0 - 15.3.8, 15.2.0 - 15.2.8, 15.1.0 - 15.1.0 and 13.0.0 - 15.0.7.