Vercel has issued mitigations for a high-severity vulnerability in React Server Components can lead to Denial of Service

Vercel is a platform for deploying modern web applications with speed and simplicity, offering developers a seamless experience for hosting and scaling their projects. With features like instant deployment, serverless functions, and global CDN, Vercel empowers developers to focus on building great user experiences without worrying about infrastructure management.

Vercel

A high-severity vulnerability (CVSS 7.5) tracked as CVE-2026-23869 affects React Server Components in Next.js 13.x through 16.x. A specially crafted HTTP request to any App Router Server Function endpoint can trigger excessive CPU usage upon deserialization, leading to Denial of Service. Vercel has deployed WAF mitigations to protect hosted projects automatically, but users must still upgrade to patched versions (15.5.15 or 16.2.3) as the WAF alone is not sufficient protection.

Summary of CVE-2026-23869