Executive summary
We have been notified by our partners that a newly disclosed vulnerability (assigned CVE-2026-23864) that affects multiple React-based frameworks reveals a denial-of-service (DoS) vulnerability in React Server Components (RSCs). The Vercel team released a separate advisory detailing this vulnerability.
There have not been any observed in-the-wild exploitations of this vulnerability. Still, Akamai has deployed an Adaptive Security Engine Rapid Rule to protect our customers from this threat.
Vulnerability details
At the center of the issue is DoS attack due to memory exhaustion when specially crafted HTTP requests are sent to the respective web servers running React- or Next.js-based frameworks.
The DoS vulnerability arises from how React handles Server Function invocations within the RSC protocol and is exploitable only in frameworks that actively use RSCs.
Please note: This vulnerability does not require authentication, which makes exploitation easier.
The vulnerability is present in the following versions:
React
Vulnerable version(s) |
Fixed version |
|---|---|
19.0.0 or later |
19.0.4 |
19.1.0 or later |
19.1.5 |
19.2.0 or later |
19.2.4 |
Next.js
Vulnerable version(s) |
Fixed version |
|---|---|
13.3 and canaries or later |
[will not be fixed] |
14.0 and canaries or later |
[will not be fixed] |
15.0.0 or later |
15.0.8 |
15.1.0 or later |
15.1.11 |
15.2.0 or later |
15.2.9 |
15.3.0 or later |
15.3.9 |
15.4.0 or later |
15.4.11 |
15.5.0 or later |
15.5.10 |
15 canaries or later |
15.6.0-canary.61 |
16.0.0 or later |
16.0.11 |
16.1.0 or later |
16.1.5 |
16 canaries or later |
16.2.0-canary.9 |
All RSC frameworks are vulnerable, which also includes:
- react-router
- waku
- @parcel/rsc
- @vite/rsc-plugin
- rwsdk
Mitigation with Akamai App & API Protector
On January 26, 2026, Akamai deployed an Adaptive Security Engine Rapid Rule for App & API Protector customers to provide full coverage.
3000981 — Denial of Service In React/Next.js Vulnerability Detected (CVE-2026-23864)
Summary
A new rule within Akamai App & API Protector has been deployed to protect our customers from this DoS threat. However, the most effective defense will always be to promptly apply the patches provided by the vendor. Given the severity of this issue, any patches should be applied as soon as possible.
The Akamai Security Intelligence Group will continue to monitor, report on, and create mitigations for threats such as these for both our customers and the security community at large. To keep up with more breaking news from the Akamai Security Intelligence Group, check out our research home page and follow us on social media.
Tags
