CVE-2026-23869 - React Server Components DoS

CVE-2026-23869 is a React Server Components denial-of-service issue in the server-function request handling path used by RSC-capable frameworks and packages. A crafted request to a Server Function endpoint can drive excessive CPU consumption before the request fails, which makes public App Router applications, multi-tenant dashboards, workflow consoles, and agent-control surfaces the highest-priority cases.

The remediation is mostly an upgrade, but the mergeable PR is not just a version bump. It must identify whether the application actually exposes React Server Components or Server Functions, refresh every lockfile and deployment artifact that pins the vulnerable package, and add safe regression checks that do not reproduce a CPU-exhaustion payload against a live service.

When to use it

  • A Next.js App Router, React Server Components, Server Functions, or RSC-capable bundler deployment resolves an affected package version.
  • Public, unauthenticated, cross-tenant, or high-traffic routes can reach server actions or Server Function endpoints.
  • The fix may require distinguishing client-only React from exposed RSC runtime code.
  • You need a bounded PR or triage note that covers package upgrades, generated artifacts, route exposure, and temporary containment.

Inputs

  • JavaScript/TypeScript manifests, lockfiles, workspace files, Dockerfiles, SBOMs, deployment manifests, and generated dependency reports.
  • Resolved versions for next, react, and react-server-dom-* packages.
  • App Router, server action, Server Function, route, tenant, authentication, gateway, WAF, and rate-limit evidence.
  • Available install, typecheck, lint, unit, route, build, E2E, container, SBOM, and dependency scan commands.

Affected versions

Surface Vulnerable versions Fixed versions
next with App Router / RSC >=13.0.0, <15.5.15; >=16.0.0-beta.0, <16.2.3 15.5.15, 16.2.3
react-server-dom-webpack >=19.0.0, <19.0.5; >=19.1.0, <19.1.6; >=19.2.0, <19.2.5 19.0.5, 19.1.6, 19.2.5
react-server-dom-parcel >=19.0.0, <19.0.5; >=19.1.0, <19.1.6; >=19.2.0, <19.2.5 19.0.5, 19.1.6, 19.2.5
react-server-dom-turbopack >=19.0.0, <19.0.5; >=19.1.0, <19.1.6; >=19.2.0, <19.2.5 19.0.5, 19.1.6, 19.2.5

Next.js 13.x and 14.x App Router deployments should be treated as requiring a framework-line upgrade to a fixed release. If that migration is outside the repository’s safe remediation scope, the agent should stop with TRIAGE.md and document containment rather than forcing a broad framework migration into one CVE PR.

Indicator-of-exposure

  • The repository resolves an affected next, react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack version.
  • The application uses Next.js App Router, React Server Components, Server Functions, server actions, or an RSC-capable bundler/framework.
  • Public, unauthenticated, cross-tenant, or high-traffic routes can reach Server Function endpoints.
  • The affected process shares CPU capacity with user-facing requests, workflow execution, release gates, tenant administration, billing, connector approval, or agent-control operations.

Quick checks:

rg -n "\"next\"|react-server-dom-(webpack|parcel|turbopack)|app/|use server|server action|serverActions|Server Function|createServerReference|react-server" .
npm ls next react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack
pnpm why next react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack
yarn why next react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack

Remediation strategy

  • Upgrade Next.js App Router applications to 15.5.15+ or 16.2.3+, matching the safest current major line the application can support.
  • For non-Next RSC use, upgrade react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack to the fixed patch release on the current React line.
  • Regenerate lockfiles, package-manager metadata, SBOMs, Docker layers, deployment manifests, cache keys, and dependency reports.
  • Add safe server-side regression checks for exposed Server Function routes: version assertions, request-size/rate-limit behavior, malformed-request rejection, auth and tenant checks, and resource-limit tests that do not run a live CPU-exhaustion payload.
  • If the upgrade is blocked, deploy temporary WAF or gateway containment, request-size limits, rate limits, and traffic isolation for affected Server Function endpoints. Keep the containment time-bound and do not present it as the final fix.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-23869 / GHSA-479c-33wc-g2pg, a React Server
Components denial-of-service issue that affects RSC Server Function handling
and downstream Next.js App Router releases. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades every affected framework or
  RSC package, refreshes generated artifacts, adds safe regression coverage,
  and documents any temporary containment, or
- TRIAGE.md if this repository does not control an affected RSC application or
  the fixed framework migration cannot be made safely in this scope.

## Rules

- Scope only CVE-2026-23869, the related Next.js advisory
  GHSA-q4gf-8mx6-v5v3, and directly related RSC Server Function exposure.
- Do not generate, run, publish, or preserve exploit payloads that intentionally
  exhaust CPU on a live or shared service.
- Do not remove authentication, tenant isolation, request validation, rate
  limits, server actions, or RSC functionality to make the alert disappear.
- Do not log cookies, sessions, JWTs, tenant IDs, secrets, request bodies,
  customer data, or production traffic while testing.
- Do not auto-merge.

## Steps

1. Inventory every JavaScript/TypeScript workspace, package manager lockfile,
   Next.js app, RSC-capable framework, Docker image, devcontainer, SBOM,
   deployment manifest, and generated dependency report controlled by this
   repository.
2. Determine resolved versions for `next`, `react`,
   `react-server-dom-webpack`, `react-server-dom-parcel`, and
   `react-server-dom-turbopack`.
3. Mark a target vulnerable when it resolves any affected version:
   - `next >=13.0.0, <15.5.15`;
   - `next >=16.0.0-beta.0, <16.2.3`;
   - `react-server-dom-* >=19.0.0, <19.0.5`;
   - `react-server-dom-* >=19.1.0, <19.1.6`;
   - `react-server-dom-* >=19.2.0, <19.2.5`.
4. Prove exposure before patching: identify App Router usage, server actions,
   Server Function endpoints, RSC bundler plugins, public routes, tenant
   boundaries, workflow or agent-control routes, and any gateway/WAF rules that
   currently front those routes.
5. If no affected RSC-capable runtime is controlled by this repository, stop
   with `TRIAGE.md` listing checked manifests, versions, and why the code is
   not exposed.
6. Upgrade affected packages:
   - Next.js 15.x to `15.5.15+`;
   - Next.js 16.x to `16.2.3+`;
   - Next.js 13.x or 14.x App Router deployments to a fixed Next.js line when
     the repository already owns that migration;
   - standalone `react-server-dom-*` packages to `19.0.5+`, `19.1.6+`, or
     `19.2.5+` on the active React line.
7. If a Next.js 13.x or 14.x migration is required but cannot be made safely in
   one CVE PR, stop with `TRIAGE.md` that names the owning team, target fixed
   version, temporary containment, validation gap, and follow-up date.
8. Refresh lockfiles, package-manager metadata, Docker layers, SBOMs,
   deployment manifests, cache keys, dependency reports, and docs that pin or
   mention the affected versions.
9. Add safe reviewer-runnable regression coverage:
   - dependency resolution asserts fixed versions;
   - exposed Server Function routes reject unauthenticated and cross-tenant
     requests before expensive work starts;
   - malformed Server Function requests fail quickly without logging sensitive
     data;
   - request-size, timeout, concurrency, or rate-limit controls exist for
     public RSC endpoints;
   - existing App Router behavior still works after the upgrade.
10. Add a PR body section named `CVE-2026-23869 operator actions` that states:
    - package versions before and after;
    - which App Router, RSC, or Server Function surfaces were exposed;
    - whether the service is hosted behind Vercel WAF, another WAF, gateway
      rules, or no containment;
    - which temporary containment remains until deployment;
    - which validation commands passed.
11. Run relevant validation: package install, lockfile consistency,
    typecheck, lint, unit tests, route/server-action tests, build, E2E smoke
    tests, container build, SBOM refresh, dependency/security scans, and any
    gateway or rate-limit policy tests.
12. Use PR title:
    `fix(sec): remediate CVE-2026-23869 in React Server Components`.

## Stop conditions

- No controlled RSC-capable application resolves an affected package version.
- The app uses React only on the client and has no server, RSC framework,
  bundler plugin, or Server Function surface.
- The fixed Next.js line requires a broad migration outside this repository's
  ownership or release window.
- Safe verification would require production traffic, customer data, live
  credentials, or intentional CPU-exhaustion testing.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Verification - what the reviewer looks for

  • No controlled manifest, lockfile, image, SBOM, or generated deployment artifact resolves a vulnerable next or react-server-dom-* version.
  • The PR distinguishes Next.js App Router exposure from client-only React applications that are not affected.
  • Server Function and server-action tests assert fast rejection, auth, tenant, and resource-limit behavior without preserving exploit payloads.
  • Any WAF, gateway, request-size, timeout, or rate-limit containment is documented as temporary unless the fixed version has deployed.
  • Next.js 13.x/14.x cases either migrate to a fixed line or stop with a clear owner and follow-up plan.

Output contract

  • Reviewer-ready PR upgrading affected next or react-server-dom-* packages, refreshing generated artifacts, and documenting RSC exposure.
  • Safe regression coverage for fixed dependency versions, auth/tenant checks, malformed requests, and resource limits without live CPU-exhaustion payloads.
  • Operator notes for remaining WAF/gateway containment, deployment order, and validation commands.
  • TRIAGE.md when no controlled RSC runtime is affected or the fixed framework migration exceeds the safe PR scope.

Watch for

  • Updating package.json while an older next or react-server-dom-* version remains pinned in package-lock.json, pnpm-lock.yaml, yarn.lock, generated SBOMs, Docker layers, or deployment caches.
  • Assuming Vercel WAF coverage means the application does not need the framework or package upgrade.
  • Treating all React apps as affected even when they are client-only and do not use an RSC-capable framework or bundler.
  • Adding diagnostics that log complete request bodies, cookies, or tenant context while testing Server Function behavior.
  • Folding a broad Next.js 13/14 migration into a security PR without isolating behavior changes and reviewer validation.

References