Next.js Server-Component Bug

Next.js is the web framework behind a huge share of modern React sites, and its App Router is the part that builds pages on the server before sending them to your browser. In that setup, the server is doing the heavy lifting, so a bad request can hit the engine room instead of just breaking one button. (github.com) React Server Components are the format App Router uses to stream server-made page data to the browser, a bit like sending a half-built page over the wire in pieces. React says the vulnerable code sits in the packages that decode those server payloads: react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. (github.com) The bug is a denial-of-service flaw, which means the attacker does not steal data first; they make the server spend itself into failure. React says a specially crafted Hypertext Transfer Protocol request to a Server Function endpoint can trigger the issue with no authentication at all. (github.com) What makes this one awkward is that it lands on routes that are rendered on the server, so the damage shows up as slow pages, stuck requests, and worker crashes instead of a neat error box. The National Vulnerability Database lists the impact as high on availability, which is the part of security that asks whether the site stays up. (nist.gov) This is also not the first time React Server Components have had this exact class of problem. React published a critical remote-code-execution fix on December 3, 2025, then more denial-of-service fixes on December 11, 2025 and January 26, 2026, and this new advisory on April 8, 2026 says another denial-of-service path still existed. (react.dev 1) (react.dev 2) (github.com 1) (github.com 2) The patched React releases are 19.0.5, 19.1.6, and 19.2.5, and the React release notes say the change adds “more cycle protections.” That means the decoder now has extra guards against payload shapes that loop back on themselves and can trap the server in expensive work. (github.com 1) (github.com 2) Next.js pulled those React fixes into its own patched releases because most teams do not install the low-level React Server Components packages directly. Vercel’s advisory says Next.js versions from 13.0.0 up to 15.5.14 are affected, along with 16.0.0 through 16.2.2, and the fixed versions are 15.5.15 and 16.2.3. (github.com) The scope is narrower than “every Next.js app on earth.” Vercel says the issue affects Next.js 13, 14, 15, and 16 only when they use the App Router, because that is the part wired into React Server Components. (github.com) The practical risk is simple: a public endpoint that accepts these requests can be hit repeatedly until your servers burn CPU and fall over. Fastly and Imperva both describe the bug as an unauthenticated remote denial-of-service issue that can cause resource spikes and crashes in exposed deployments. (fastly.com) (imperva.com) If you run a Next.js app with App Router in production, the short version is to upgrade now, then check logs for sudden processor spikes, restarts, or bursts of requests hitting Server Function endpoints since April 8, 2026, when the advisory was published. This one does not need a password, and bugs that live in the request parser tend to get tested on internet-facing apps very quickly. (github.com) (github.com)