Vercel disclosed CVE-2026-23869, a high-severity vulnerability in React Server Components with a CVSS score of 7.5, capable of causing Denial of Service conditions. Vercel responded by deploying WAF rules that automatically protect all Vercel-hosted projects.
For teams self-hosting Next.js, the situation requires manual patching. The vulnerability highlights that React Server Components expand the attack surface compared to traditional client-side rendering. Server-rendered payload processing becomes a target that teams need to treat with the same security rigor as any other API endpoint.
Founder Takeaway
If you self-host Next.js with React Server Components, check your version and patch immediately - Vercel-hosted projects are already protected.
