GHSA-h25m-26qc-wcjf
Denial of Service (DoS) vulnerability in next (npm)
What is GHSA-h25m-26qc-wcjf About?
This vulnerability affects React Server Components packages and frameworks like Next.js using the App Router. A specially crafted HTTP request, when deserialized by a Server Function endpoint, can trigger excessive CPU usage or out-of-memory exceptions. This leads to a denial of service, causing server crashes and unavailability.
Affected Software
- next
- >=16.1.0-canary.0, <16.1.5
- >=16.0.0-beta.0, <16.0.11
- >=15.4.0-canary.0, <15.4.11
- >=13.0.0, <15.0.8
- >=15.1.1-canary.0, <15.1.12
- >=15.2.0-canary.0, <15.2.9
- >=15.3.0-canary.0, <15.3.9
- >=15.5.1-canary.0, <15.5.10
- >=15.6.0-canary.0, <15.6.0-canary.61
Technical Details
The vulnerability, tracked as CVE-2026-23864, impacts React Server Components in versions 19.0.x, 19.1.x, and 19.2.x, as well as frameworks such as Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The core issue lies in the deserialization process of input from HTTP requests sent to App Router Server Function endpoints. An attacker can create a specific HTTP request payload that, upon deserialization, causes the server to consume an inordinate amount of CPU cycles or memory. This excessive resource consumption can manifest as high CPU usage, out-of-memory errors, or outright server crashes, ultimately preventing the affected application from serving legitimate requests and leading to a denial of service.
What is the Impact of GHSA-h25m-26qc-wcjf?
Successful exploitation may allow attackers to trigger excessive resource consumption on the server, resulting in out-of-memory exceptions, server crashes, and ultimately a denial of service for the application.
What is the Exploitability of GHSA-h25m-26qc-wcjf?
Exploitation of this vulnerability involves sending a specially crafted HTTP request to any App Router Server Function endpoint. The attack vector is remote, and typically no authentication is required. The complexity is specific to crafting the malicious deserialization payload. No special user privileges are needed on the attacker's side. The primary constraint is that the target application must be using affected versions of React Server Components and frameworks like Next.js with the App Router. The risk factor is elevated where public-facing Server Function endpoints are exposed and accept unvalidated input, as it can be easily triggered to disrupt service availability.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for GHSA-h25m-26qc-wcjf?
Available Upgrade Options
- next
- >=15.4.0-canary.0, <15.4.11 → Upgrade to 15.4.11
- next
- >=15.3.0-canary.0, <15.3.9 → Upgrade to 15.3.9
- next
- >=16.0.0-beta.0, <16.0.11 → Upgrade to 16.0.11
- next
- >=16.1.0-canary.0, <16.1.5 → Upgrade to 16.1.5
- next
- >=15.5.1-canary.0, <15.5.10 → Upgrade to 15.5.10
- next
- >=15.1.1-canary.0, <15.1.12 → Upgrade to 15.1.12
- next
- >=15.2.0-canary.0, <15.2.9 → Upgrade to 15.2.9
- next
- >=15.6.0-canary.0, <15.6.0-canary.61 → Upgrade to 15.6.0-canary.61
- next
- >=13.0.0, <15.0.8 → Upgrade to 15.0.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-h25m-26qc-wcjf
- https://github.com/vercel/next.js
- https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg
- https://nvd.nist.gov/vuln/detail/CVE-2026-23864
- https://vercel.com/changelog/summary-of-cve-2026-23864
- https://github.com/vercel/next.js/security/advisories/GHSA-h25m-26qc-wcjf
What are Similar Vulnerabilities to GHSA-h25m-26qc-wcjf?
Similar Vulnerabilities: CVE-2023-45133 , CVE-2023-38035 , CVE-2022-38568 , CVE-2022-25916 , CVE-2020-7798
