CVE-2026-23864

HIGH

React Server Components 19.0.0-19.0.3, 19.1.0-19.1.4, 19.2.0-19.2.3 - DoS via Crafted HTTP Requests

Title source: llm

Description

Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code. Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components.

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://www.facebook.com/security/advisories/cve-2026-23864

Scores

CVSS v3 7.5

EPSS 0.0147

EPSS Percentile 70.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-400 CWE-502

Status published

Products (4)

facebook/react 19.0.0 - 19.0.4

npm/react-server-dom-parcel 19.0.0 - 19.0.4npm

npm/react-server-dom-turbopack 19.1.0-canary-7130d0c6-20241212 - 19.1.5npm

npm/react-server-dom-webpack 19.2.0-canary-63779030-20250328 - 19.2.4npm

Published Jan 26, 2026

Tracked Since Feb 18, 2026