We are issuing mitigations for CVE-2026-23864 for multiple vulnerabilities affecting React Server Components

Vercel is a platform for deploying modern web applications with speed and simplicity, offering developers a seamless experience for hosting and scaling their projects. With features like instant deployment, serverless functions, and global CDN, Vercel empowers developers to focus on building great user experiences without worrying about infrastructure management.

Vercel

Multiple high-severity denial of service vulnerabilities (CVE-2026-23864, CVSS 7.5) were discovered in React Server Components affecting versions 19.0.x through 19.2.x. The vulnerabilities can be triggered through specially crafted HTTP requests to Server Function endpoints, potentially causing server crashes, out-of-memory exceptions, or excessive CPU usage. Affected frameworks include Next.js versions 13.x through 16.x, along with other tools using React Server Components. Vercel deployed WAF mitigations automatically, but immediate upgrades to patched versions are required. Fixes are available in React 19.0.4+, 19.1.5+, 19.2.4+ and corresponding Next.js versions.

Summary of CVE-2026-23864

Ugh not again!! 😩 Is this going to happen like every month, or what?
Guess I’ll spend another hour or 2 upgrading them all again.