Impacts, affected components, and what you can do immediately to stay secure
CVE-2026-23869: What you need to know
On April 8th, a new high-severity vulnerability (CVSS 7.5) was identified in React Server Components. This vulnerability can lead to Denial of Service.
Fastly Next-Gen WAF customers can enable our new virtual patch to gain immediate protection against exploitation attempts while the underlying components are patched.
Affected components:
Nextjs 13.x, 14.x, 15.x, 16.x and affected packages using the App Router
react-server-dom-turbopack, react-server-dom-parcel, and react-server-dom-webpack versions:
19.0.0 through 19.0.4
19.1.0 through 19.1.5
19.2.0 through 19.2.4
What are the impacts of CVE-2026-23869?
CVE-2026-23869 can lead to denial of service in unpatched environments. According to Vercel, the vulnerability stems from a specially crafted HTTP request that can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage.
What can you do about it?
While you should patch the underlying components as soon as possible, we understand that it can take time, so we have released a virtual patch for our Next-Gen WAF to provide immediate protection in the meantime. Follow the summarized steps below to access the Virtual Patch.
Go to Security > Next-Gen WAF > Workspaces.
Click the gear icon next to the workspace you want to modify.
Click Virtual patches.
Find the desired virtual patch and enable it, optionally moving it from logging to blocking
We know our customers entrust us with the resilience of their business-critical services, and core to our company's mission is to have your back when surprises like CVE- 2026-23869 occur. That’s why we provide virtual patches to our customers to provide breathing room while they patch impacted systems.
You can find additional details about virtual patches in our Docs and get detailed steps via our in-app AI assistant. Our teams are here for you as you navigate ongoing mitigation efforts, whether you’re a longstanding Fastly platform customer or new and in need of immediate protection. Let us know how we can help.