FIND-20260410-003 · 2026-04-10 · Innovation Veille

CVE-2026-23869 — Next.js App Router DoS via crafted RSC request (CVSS 7.5)

cve HIGH
CVE-2026-23869 is a Denial of Service vulnerability in Next.js affecting all App Router deployments across versions 13.x, 14.x, 15.x, and 16.x. A specially crafted HTTP request sent to any App Router Server Function endpoint triggers excessive CPU usage during React Server Component deserialization. CVSS score: 7.5 (High). Fixed in Next.js 15.5.15+ and 16.2.3+. ODS Dashboard uses Next.js 16 with the App Router.

Source

https://vercel.com/changelog/summary-of-cve-2026-23869

ODS Impact

ODS Dashboard (ods-dashboard service on srv-staging) uses Next.js 16 App Router. This vulnerability allows any unauthenticated attacker to cause CPU exhaustion by sending crafted requests to Server Function endpoints, potentially taking down the dashboard. Upgrade to Next.js 16.2.3 is mandatory. The fix was backported into the 16.2.3 release already available.

Security Review

License: MIT | Maintenance: ACTIVE | Risk: LOW | Recommendation: USE_WITH_CAUTION

Tags

nextjs cve dos app-router react-server-components security high-severity
Generated by ODS Innovation Veille · 2026-04-10T00:56:43+00:00