## Wiz Researchers Uncover Unauthenticated DoS Vulnerability in Next.js — CVE-2026-23870 Threatens 14.x Deployments
A critical denial-of-service vulnerability has been identified in Next.js, the widely deployed React framework, with an active exploit already circulating. The flaw, tracked as CVE-2026-23870, carries a CVSS score of 7.5 and enables unauthenticated attackers to trigger availability disruption over the network without requiring any credentials or user interaction. The vulnerability was discovered by security researchers at Wiz on May 13, 2026.

The affected components include both package dependency and lock file references within a repository's frontend directory. According to internal audit records, `/frontend/package.json` specifies Next.js version `14.2.35`, while `/frontend/yarn.lock` references version `14.1.0` — both落在了漏洞影响范围内。The vulnerability resides in Next.js versions below `15.5.16`, exposing any application running the legacy 14.x branch to potential DoS conditions. While CISA's Known Exploited Vulnerabilities catalog does not yet list this CVE, the presence of a public exploit raises immediate risk for internet-facing deployments.

Security guidance mandates an urgent upgrade to Next.js `15.5.18` or higher, followed by lock file regeneration and comprehensive regression testing. Organizations should verify no sub-dependencies pin older versions, as transitive dependencies could reintroduce the vulnerable code path. The availability impact classification makes this particularly concerning for production environments where uptime and service continuity are business-critical. Development teams managing Next.js-based applications should treat this as a high-priority patching operation, especially those unable to implement network-level mitigations such as rate limiting or WAF rules in the near term.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-23870, denial-of-service, Next.js, Wiz, vulnerability-patching
- **Credibility**: unverified
- **Published**: 2026-05-14 05:48:30
- **ID**: 82914
- **URL**: https://whisperx.ai/en/intel/82914