FIND-20260402-013 · 2026-04-02 · Innovation Veille

CVE-2026-23864: React Server Components DoS via memory exhaustion — HIGH (CVSS 7.5), Next.js affected

cve MEDIUM
CVE-2026-23864 (CVSS 7.5 HIGH) is a denial-of-service vulnerability in React Server Components affecting React 19.0.x, 19.1.x, 19.2.x and Next.js 15.x/16.x. Specially crafted unauthenticated HTTP requests to Server Function endpoints cause memory exhaustion and server crash. An incomplete fix from CVE-2025-55184 left prior versions still vulnerable. Patches: React 19.0.4+, 19.1.5+, 19.2.4+; Next.js 16.0.11+ or 15.x patched versions. ODS uses Next.js v16.2.2 for the ODS Dashboard which includes the patch.

Source

https://www.akamai.com/blog/security-research/cve-2026-23864-react-nextjs-denial-of-service

ODS Impact

ODS Dashboard (Next.js 16.2.2) is on a patched version. Verify React package version is 19.2.4+. Any future server function endpoints in ODS Dashboard should be tested against oversized RSC requests.

Security Review

License: MIT | Maintenance: ACTIVE | Risk: LOW | Recommendation: USE_WITH_CAUTION

Tags

cve react nextjs dos rsc security
Generated by ODS Innovation Veille · 2026-04-02T00:21:54+00:00