Next.js Server Components are affected by a Denial of Service vulnerability (GHSA-q4gf-8mx6-v5v3, CWE-400) that allows an attacker to trigger resource exhaustion via malformed input, potentially causing application unavailability. No CVE ID is assigned and no CVSS score is available from current sources; no known active exploitation or CISA KEV listing is present. Organizations should verify affected version ranges against the OSV advisory at osv.dev/vulnerability/GHSA-q4gf-8mx6-v5v3, upgrade the next npm package to the patched version, and implement rate limiting or WAF controls as a temporary compensating measure for internet-exposed applications.