GHSA-q4gf-8mx6-v5v3

Source

https://github.com/advisories/GHSA-q4gf-8mx6-v5v3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-q4gf-8mx6-v5v3/GHSA-q4gf-8mx6-v5v3.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-q4gf-8mx6-v5v3

Related

CGA-jww2-236w-h9mr

Published

2026-04-10T15:35:47Z

Modified

2026-04-13T20:29:26.502240703Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Next.js has a Denial of Service with Server Components

Details

A vulnerability affects certain React Server Components packages for versions 19.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23869. You can read more about this advisory our this changelog.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage. This can result in denial of service in unpatched environments.

Database specific

{
    "cwe_ids": [
        "CWE-770"
    ],
    "severity": "HIGH",
    "nvd_published_at": null,
    "github_reviewed_at": "2026-04-10T15:35:47Z",
    "github_reviewed": true
}

References

Affected packages

npm / next

Package

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

13.0.0

Fixed

15.5.15

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-q4gf-8mx6-v5v3/GHSA-q4gf-8mx6-v5v3.json"

npm / next

Package

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

16.0.0-beta.0

Fixed

16.2.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-q4gf-8mx6-v5v3/GHSA-q4gf-8mx6-v5v3.json"