Summary Impact Resolution Fixed in Credit References Multiple high-severity vulnerabilities in React Server Components were responsibly disclosed. Importantly, these vulnerabilities do not allow for Remote Code Execution. We created new rules to address these vulnerabilities and deployed them to the Vercel WAF to automatically protect all projects hosted on Vercel at no cost. However, do not rely on the WAF for full protection. Immediate upgrades to a patched version are required. addresses multiple denial of service vulnerabilities in React Server Components. The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.CVE-2026-23864 These vulnerabilities are present in versions 19.0.x, 19.1.x, and 19.2.x of the following packages: These packages are included in the following frameworks and bundlers: After creating mitigations to address this vulnerability, we deployed them across our globally-distributed platform to protect our customers. We still…