Multiple security vulnerabilities were disclosed by the React team and Vercel affecting React Server Components and Next.js. These include denial of service, middleware and proxy bypass, server-side request forgery, cross-site scripting, and cache poisoning issues across a range of severity levels.
We strongly recommend updating your application and its dependencies immediately. Patched versions are available for React (react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack 19.0.6, 19.1.7, and 19.2.6) and Next.js (15.5.16 and 16.2.5). If you use a React-based server framework, such as Vinext, OpenNext, or TanStack Start, update to the latest version of that framework as well.
WAF protections
Cloudflare WAF rules deployed in response to prior React Server Component CVEs (CVE-2025-55184 and CVE-2026-23864) already provide coverage for the newly disclosed denial-of-service vulnerabilities. These rules are enabled by default with a Block action for all customers using the Cloudflare Managed Ruleset, including Free plan customers using the Free Managed Ruleset.
| Ruleset | Rule description | Rule ID | Default action |
|---|---|---|---|
| Cloudflare Managed Ruleset | React – DoS – CVE-2025-55184 | 2694f1610c0b471393b21aef102ec699 | Block |
| Cloudflare Managed Ruleset | React – DoS – CVE-2026-23864 | aaede80b4d414dc89c443cea61680354 | Block |
The existing rules detect the underlying attack patterns generically. As a result, they apply to the new CVE-2026-23870 denial-of-service vulnerability in Server Components and the corresponding Next.js advisory GHSA-8h8q-6873-q5fj.
Cloudflare is investigating whether WAF rules can be safely and effectively deployed for three of the high-severity advisories: CVE-2026-23870 / GHSA-8h8q-6873-q5fj, GHSA-267c-6grr-h53f, and GHSA-mg66-mrh9-m8jx. If it is possible to create a managed WAF rule that mitigates these CVEs and does not potentially break application behavior, Cloudflare will add additional managed WAF rules. These rules will be announced through the WAF changelog. Because these vulnerabilities were shared with Cloudflare with minimal advance notice, we are still investigating what WAF mitigations are possible.
Several of the disclosed vulnerabilities are not possible to block in WAF. We strongly recommend updating your applications so they are not purely reliant on WAF mitigations.
Customers on Pro, Business, or Enterprise plans should ensure that Managed Rules are enabled.
Next.js adapters
Vinext: Vinext is a Vite plugin that reimplements the Next.js API surface. Vinext’s latest release is not vulnerable to any of the disclosed CVEs. Vinext’s architecture differs from stock Next.js in ways that sidestep the affected code paths. For example, it does not implement the PPR resume protocol, does not expose Pages Router data-route endpoints, and strips internal headers such as x-nextjs-data at request boundaries. As an extra layer of defense, we added a React 19.2.6 or later requirement when running vinext init (PR #1118, PR #1112) to prevent accidentally running a vulnerable version of React with Vinext.
OpenNext on Cloudflare: OpenNext is an adapter that lets you deploy Next.js apps to the Cloudflare Workers platform. OpenNext itself is not directly vulnerable to the React denial-of-service CVE, but users must update the Next.js version in their application. The OpenNext team has updated the adapter to further harden against these vectors and released a new version of the Cloudflare adapter. Test fixtures and examples have been updated to use patched versions (PR #1255).
Summary of disclosed vulnerabilities
| Advisory | Severity | Issue | WAF status |
|---|---|---|---|
CVE-2026-23870 / GHSA-8h8q-6873-q5fj | High | Denial of service in Server Components | WAF rules in place: 2694f1610c0b471393b21aef102ec699, aaede80b4d414dc89c443cea61680354Cloudflare is investigating additional managed WAF coverage |
GHSA-267c-6grr-h53f | High | Middleware bypass via segment-prefetch routes | Cloudflare is investigating if this can be safely and effectively mitigated by a managed WAF rule |
GHSA-mg66-mrh9-m8jx | High | Denial of service via connection exhaustion in Cache Components | Cloudflare is investigating if this can be safely and effectively mitigated by a managed WAF rule |
GHSA-492v-c6pp-mqqv | High | Middleware bypass via dynamic route parameter injection | Not possible to safely enable a managed WAF rule without potentially breaking application behavior |
GHSA-c4j6-fc7j-m34r | High | SSRF via WebSocket upgrades | Not possible to safely enable a managed WAF rule without potentially breaking application behavior |
GHSA-36qx-fr4f-26g5 | High | Middleware bypass in Pages Router i18n | Custom WAF rule possible; global managed rule could potentially break application behavior |
GHSA-ffhc-5mcf-pf4q | Moderate | XSS via CSP nonces | Custom WAF rule possible; global managed rule could potentially break application behavior |
GHSA-gx5p-jg67-6x7h | Moderate | XSS in beforeInteractive scripts | Not possible to safely enable a managed WAF rule without potentially breaking application behavior |
GHSA-h64f-5h5j-jqjh | Moderate | Denial of service in Image Optimization API | Custom WAF rule possible; global managed rule could potentially break application behavior |
GHSA-wfc6-r584-vfw7 | Moderate | Cache poisoning in RSC responses | Custom WAF rule possible; global managed rule could potentially break application behavior |
GHSA-vfv6-92ff-j949 | Low | Cache poisoning via RSC cache-busting collisions | Not possible to safely enable a managed WAF rule without potentially breaking application behavior |
GHSA-3g8h-86w9-wvmq | Low | Middleware redirect cache poisoning | Custom WAF rule possible; global managed rule could potentially break application behavior |
Source: Cloudflare
