Next.js and React patches urgent

A fresh React Server Components bug just landed, and this one is the kind ops teams hate — low-complexity denial of service from a crafted request, no auth required. It hits React 19’s server-component packages and cascades into Next.js apps that use the App Router, because the App Router is built on those same server-component mechanics. The practical news is simple: patches are out now, and if you run App Router in production, this is an upgrade-today issue. (github.com) ### What actually broke? The vulnerable path is the Server Function endpoint pipeline inside React Server Components. A specially crafted HTTP request can force expensive deserialization work, which can spike CPU and, in React’s upstream advisory, also trigger out-of-memory conditions. In plain English — an attacker does not need to steal data or run code to hurt you; they can just make your server burn resources until it falls over. (github.com) ### Why does Next.js get dragged into this? Because Next.js App Router is one of the most common ways people ship React Server Components. The App Router uses Server Components, Suspense, and Server Functions as core features, so an upstream flaw in React’s server-component packages becomes a downstream Next.js problem fast. That is why Vercel published its own advisory even though the root issue is tracked upstream in React as CVE-2026-23870. (nextjs.org) ### Which versions are exposed? On the React side, the affected packages are the 19.x server-component packages — `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack` — through 19.2.5, with fixes in 19.0.6, 19.1.7, and 19.2.6. On the Next.js side, GitHub’s Vercel advisory says affected `next` versions are `>=13.0.0 <15.5.16` and `>=16.0.0 <16.2.5`, with patched releases at 15.5.16 and 16.2.5. The advisory text also explicitly calls out Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. (github.com) ### Is every React app in danger? No — and this distinction matters. If your app does not use a server-side React setup that supports Server Components, the React team says it is not affected. This is not a generic “all React websites are broken” moment. The exposed group is apps that actually ship React Server Components or frameworks that bundle them in, with Next.js App Router being the big one. (github.com) ### Why does this feel familiar? Because it is part of an ugly pattern around React Server Components over the past few months. December 2025 brought a critical remote-code-execution bug, then more denial-of-service and source-exposure follow-ons, then January 2026 brought another round after researchers tested whether the earlier fixes could be bypassed. Basically, once a hot code path becomes security-interesting, researchers keep hammering it. This new CVE looks like the latest round of that same scrutiny. (react.dev) ### What should teams do right now? First, upgrade React server-component packages to 19.0.6, 19.1.7, or 19.2.6, depending on your line. Then upgrade Next.js to at least 15.5.16 or 16.2.5 if you are on an affected App Router release. After that, review any public Server Function endpoints, rate-limit where you can, and look back through CPU and memory spikes in recent logs — not because the advisory says exploitation is widespread, but because DoS bugs are cheap to probe once details are public. (github.com) ### Is there a workaround if you cannot patch tonight? Nothing in the official advisories suggests a clean long-term substitute for upgrading. Temporary traffic controls at the edge may reduce blast radius, but they do not remove the vulnerable code path. If you expose App Router Server Function endpoints to the public internet, the real fix is the patched release. (github.com) ### Bottom line This is not a theoretical library footnote. It is a live availability risk in one of the most widely used React deployment paths. If you run Next.js App Router or ship React Server Components on 19.x, patch now and treat the follow-up review as part of the fix, not extra credit. (github.com)