All Posts

DoS Vulnerability Analysis in React Server Components & Next.js (2026)

technologyJanuary 29, 2026·#Technology

A series of serious DoS vulnerabilities have just been discovered in React and Next.js, threatening the stability of millions of web applications. This article analyzes the technical mechanism and thorough solutions.

DoS Vulnerability Analysis in React Server Components & Next.js (2026)

The web development industry's shift toward hybrid models of server and client processing has reached its peak with the introduction of React Server Components (RSC). However, this revolution also brings unprecedented security challenges. During the period from December 2025 to January 2026, a series of serious vulnerabilities were discovered, shaking the foundations of applications using React 19 and Next.js 15/16. Starting with the "React2Shell" remote code execution (RCE) vulnerability (CVE-2025-55182), subsequent in-depth research has continued to reveal a series of denial-of-service (DoS) weaknesses deep in the data transfer protocol and system optimization features. This report provides an in-depth look at the most recent DoS vulnerabilities, including GHSA-83fc-fqcc-2hmg, CVE-2025-59471, and CVE-2025-59472.

1. Evolution of security threats in the RSC era

To understand the urgency, it is necessary to consider the historical context of the "React2Shell" event (CVE-2025-55182). In late 2025, the security community identified an unsafe deserialization bug in React's "Flight" protocol, allowing RCE with a CVSS score of 10.0. Although patches were deployed, the RCE remediation effort unintentionally exposed other flawed processing logic, leading to scenarios where an attacker could crash the server or drain resources without executing malicious code.

The recent DoS vulnerabilities are the result of a complex interaction between React's data processing logic and the Node.js environment. When an application accepts complex data structures from users for server-side rendering, it faces resource management risks.

List of major DoS vulnerabilities (Updated January 26, 2026):

  • GHSA-83fc-fqcc-2hmg: Affects react-server-dom-* packages. An attacker sends a specially crafted HTTP request to the Server Function endpoint, causing a server crash or memory overflow.

  • CVE-2025-59471: Vulnerability in Next.js Image Optimizer. Occurs when remotePatterns is enabled, allowing remote images that are too large to crash the server due to OOM (Out-of-Memory).

  • CVE-2025-59472: Vulnerability in Next.js PPR (Minimal Mode). Impacts the resume endpoint, allowing Zipbomb attacks or unlimited buffering.

  • CVE-2025-55184: Event Loop crashes due to rotating Promise reference in RSC.

2. Technical mechanism of the GHSA-83fc-fqcc-2hmg vulnerability

The focus of the January 26, 2026 updates is GHSA-83fc-fqcc-2hmg. Researchers found that previous DoS patches (like CVE-2025-55184) were flawed. The problem lies with the react-server-dom-webpack, react-server-dom-parcel and react-server-dom-turbopack packages.

Deserialization and infinite loops

React's Flight protocol divides data into chunks. Each block can refer to another block. The vulnerability arises when the decoding mechanism encounters cyclical references. An attacker could create an HTTP request containing nested Promise references. When the server tries to resolve these Promises, it falls into an infinite loop, crashing Node.js's only event stream, leading to a complete denial of service.

This vulnerability has a CVSS score of 7.5, allowing remote exploitation without authentication. Even if the developer does not define a Server Function, the framework (like Next.js App Router) can still be affected due to default RSC support.

3. Next.js Image Optimizer Vulnerability (CVE-2025-59471)

This vulnerability affects self-hosted Next.js applications that use external image optimization via remotePatterns.

  • Mechanism: Endpoint /_next/image loads images from a remote source memory without checking the maximum file size limit.

  • Exploit: An attacker requests to optimize an extremely large image from an authorized domain. When Node.js loads this huge data, it quickly exceeds the JavaScript heap limit, causing the process to crash.

Affecting versions: Next.js >=10 to <15.5.10 and >=16 to <16.1.5. Applications on Vercel are not affected due to their infrastructure protection mechanism.

4. Next.js PPR and Minimal Mode Vulnerability (CVE-2025-59472)

CVE-2025-59472 concerns the experimental Partial Pre-Rendering (PPR) and "Minimal Mode" (NEXT_PRIVATE_MINIMAL_MODE=1).

  • Unlimited Buffering: The server uses Buffer.concat() to include the request body in memory without checking its size size.

  • Zipbomb attack: Compressed data is decompressed using inflateSync() without limiting the output. A small compressed payload can expand to gigabytes in memory, surpassing the checking limits at the proxy layer.

The result is the error FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory, which immediately terminates the Node.js process.

5. Impact of Async Hooks and APM

One technical detail noted by Tan Phat Digital is the role of async_hooks in Node.js. React and Next.js use AsyncLocalStorage to keep track of request context. When using monitoring (APM) tools such as Datadog or OpenTelemetry, async_hooks is always enabled. In this environment, stack overflow errors due to RSC will cause Node.js to completely exit with error code 7 instead of just returning error code 500, making the DoS attack more severe.

6. Mitigation and upgrade strategy

Complete resolution requires software updates and infrastructure configuration changes.

Version updates (Top priority)

Organizations should review lockfiles and upgrade to secure versions released on January 26, 2026:

  • React 19.0.x: Update from versions 19.0.0 - 19.0.3 to version 19.0.4.

  • React 19.1.x: Update from versions 19.1.0 - 19.1.4 to version 19.1.5.

  • React 19.2.x: Update from versions 19.2.0 - 19.2.3 to version 19.2.4.

  • Next.js 15.x: Upgrade from versions before 15.5.10 to version 15.5.10.

  • Next.js 16.x: Upgrade from versions before 16.1.5 to version 16.1.5.

Temporary protection measures

  1. Infrastructure: Setup client_max_body_size at Proxy (Nginx/Apache) to prevent unlimited buffering.

  2. Configuration: Restrict or remove untrusted domains in remotePatterns of Image Optimizer.

  3. Disable: Disable PPR feature (experimental.ppr: false) or Minimal Mode if not absolutely necessary.

  4. WAF: Update firewall rules (such as vWAF) to detect and block anomalous RSC payloads or POST requests with Next-Resume: 1 header.

The continuous appearance of these vulnerabilities indicates the challenging maturity of RSC. Tan Phat Digital recommends that businesses immediately review and upgrade their systems to ensure service availability against increasingly sophisticated DoS attack scenarios.

Share

Comments

0.0 / 5(0 ratings)

Please login to leave a comment.

No comments yet. Be the first to share your thoughts.

Related Posts

Tan Phat Digital – SEO-Optimized Website Design in Ho Chi Minh City
technology5/12/2026

Tan Phat Digital – SEO-Optimized Website Design in Ho Chi Minh City

Instructions for integrating sending Gmail to Website 2026 | Tan Phat Digital
technology2/24/2026

Instructions for integrating sending Gmail to Website 2026 | Tan Phat Digital

Instructions for integrating MoMo into Website 2026 | Tan Phat Digital
technology2/24/2026

Instructions for integrating MoMo into Website 2026 | Tan Phat Digital

List of Free and Paid Services for Developers - Tan Phat Digital
technology2/23/2026

List of Free and Paid Services for Developers - Tan Phat Digital

Blockchain learning roadmap for newbies 2026 - Tan Phat Digital
technology2/23/2026

Blockchain learning roadmap for newbies 2026 - Tan Phat Digital

What is ZeroClaw? Detailed Installation and Integration Guide | Tan Phat Digital
technology2/21/2026

What is ZeroClaw? Detailed Installation and Integration Guide | Tan Phat Digital

What is OpenClaw? Detailed Installation and Integration Guide | Tan Phat Digital
technology2/21/2026

What is OpenClaw? Detailed Installation and Integration Guide | Tan Phat Digital

Google Gemini 3.1 Pro Launched: Breakthrough Logical Thinking & Practical Applications
technology2/20/2026

Google Gemini 3.1 Pro Launched: Breakthrough Logical Thinking & Practical Applications