CVE-2025-55184
published 2025-12-11CVE-2025-55184: A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1…
PriorityP182high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
65.59%
99.2th percentile
A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
Affected
63 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| react | — | — | |
| react | — | — | |
| react | — | — | |
| react | >= 19.0.0 < 19.0.2 | 19.0.2 | |
| react | >= 19.1.0 < 19.1.3 | 19.1.3 | |
| react | >= 19.2.0 < 19.2.2 | 19.2.2 | |
| meta | react-server-dom-parcel | >= 19.0.0 < 19.0.2 | 19.0.2 |
| meta | react-server-dom-parcel | >= 19.0.2 < 19.0.3 | 19.0.3 |
| meta | react-server-dom-parcel | 19.0.2 – 19.0.2 | — |
| meta | react-server-dom-parcel | >= 19.1.0 < 19.1.3 | 19.1.3 |
| meta | react-server-dom-parcel | >= 19.1.3 < 19.1.4 | 19.1.4 |
| meta | react-server-dom-parcel | 19.1.3 – 19.1.3 | — |
| meta | react-server-dom-parcel | >= 19.2.0 < 19.2.2 | 19.2.2 |
| meta | react-server-dom-parcel | >= 19.2.2 < 19.2.3 | 19.2.3 |
| meta | react-server-dom-parcel | 19.2.2 – 19.2.2 | — |
| meta | react-server-dom-turbopack | >= 19.0.0 < 19.0.2 | 19.0.2 |
| meta | react-server-dom-turbopack | >= 19.0.2 < 19.0.3 | 19.0.3 |
| meta | react-server-dom-turbopack | 19.0.2 – 19.0.2 | — |
| meta | react-server-dom-turbopack | >= 19.1.0 < 19.1.3 | 19.1.3 |
| meta | react-server-dom-turbopack | >= 19.1.3 < 19.1.4 | 19.1.4 |
| meta | react-server-dom-turbopack | 19.1.3 – 19.1.3 | — |
| meta | react-server-dom-turbopack | >= 19.2.0 < 19.2.2 | 19.2.2 |
| meta | react-server-dom-turbopack | >= 19.2.2 < 19.2.3 | 19.2.3 |
| meta | react-server-dom-turbopack | 19.2.2 – 19.2.2 | — |
| meta | react-server-dom-webpack | >= 19.0.0 < 19.0.2 | 19.0.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2025-55184 is triggered by sending a crafted HTTP request to a Server Function endpoint; the vulnerable code unsafely deserializes payloads from HTTP requests, causing an infinite loop that hangs the server process ↗
- →CVE-2025-55184 requires no authentication; any pre-authentication HTTP request to a Server Function endpoint with a malicious payload can trigger the DoS condition ↗
- →Monitor for server processes hanging or becoming unresponsive after receiving HTTP POST requests to Server Function endpoints, which is the observable impact of successful exploitation ↗
- →CVE-2025-67779 is an incomplete fix for CVE-2025-55184; versions 19.0.2, 19.1.3, and 19.2.2 remain vulnerable — only 19.2.3 fully remediates the DoS ↗
- →To prevent DoS impacts due to CVE-2025-55184 and CVE-2025-67779, patch to 19.2.3; the 19.2.2 patch was found to be insufficient ↗
- ·Affected packages are react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack at versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1; the next package and @vitejs/plugin-rsc are also listed as affected ↗
- ·CVE-2025-55184 does NOT allow remote code execution; it is limited to a denial-of-service condition (infinite loop / server hang) ↗
- ·The patch for CVE-2025-55184 in versions 19.0.2, 19.1.3, and 19.2.2 was incomplete; a bypass was assigned CVE-2025-67779, requiring upgrade to 19.2.3 for full remediation ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH
vulncheck7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Denial of Service Vulnerability in React Server Components
ghsa·2025-12-12·CVSS 7.5
CVE-2025-67779 [HIGH] CWE-400 Denial of Service Vulnerability in React Server Components
Denial of Service Vulnerability in React Server Components
## Impact
It was found that the fix to address [CVE-2025-55184](https://github.com/facebook/react/security/advisories/GHSA-2m3v-v2m8-q956) in React Server Components was incomplete and does not prevent a denial of service attack in a specific case.
We recommend updating immediately.
The vulnerability exists in versions 19.0.2, 19.1.3, and 19.2.2 of:
- [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)
- [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)
- [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)
These issues are present in the patches published on December 11th, 2025.
## Patches
Fixes were back ported
GHSA
Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up
ghsa·2025-12-12·CVSS 7.5
CVE-2025-55184 [HIGH] CWE-1395 Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up
Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up
It was discovered that the fix for [CVE-2025-55184](https://github.com/advisories/GHSA-2m3v-v2m8-q956) in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.
This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779).
A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, wh
OSV
Denial of Service Vulnerability in React Server Components
osv·2025-12-12·CVSS 7.5
CVE-2025-67779 [HIGH] Denial of Service Vulnerability in React Server Components
Denial of Service Vulnerability in React Server Components
## Impact
It was found that the fix to address [CVE-2025-55184](https://github.com/facebook/react/security/advisories/GHSA-2m3v-v2m8-q956) in React Server Components was incomplete and does not prevent a denial of service attack in a specific case.
We recommend updating immediately.
The vulnerability exists in versions 19.0.2, 19.1.3, and 19.2.2 of:
- [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)
- [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)
- [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)
These issues are present in the patches published on December 11th, 2025.
## Patches
Fixes were back ported
OSV
Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up
osv·2025-12-12·CVSS 7.5
CVE-2025-55184 [HIGH] Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up
Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up
It was discovered that the fix for [CVE-2025-55184](https://github.com/advisories/GHSA-2m3v-v2m8-q956) in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.
This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779).
A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, wh
GHSA
Denial of Service Vulnerability in React Server Components
ghsa·2025-12-11
CVE-2025-55184 [HIGH] CWE-400 Denial of Service Vulnerability in React Server Components
Denial of Service Vulnerability in React Server Components
## Impact
There is a denial of service vulnerability in React Server Components.
React recommends updating immediately.
The vulnerability exists in versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1 of:
- [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)
- [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)
- [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)
These issues are present in the patches published last week.
## Patches
Fixes were back ported to versions 19.0.2, 19.1.3, and 19.2.2.
If you are using any of the above packages please upgrade to any of the fixed versions immediately.
If y
GHSA
Next Vulnerable to Denial of Service with Server Components
ghsa·2025-12-11·CVSS 7.5
CVE-2025-55184 [HIGH] CWE-1395 Next Vulnerable to Denial of Service with Server Components
Next Vulnerable to Denial of Service with Server Components
A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184).
A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.
OSV
Denial of Service Vulnerability in React Server Components
osv·2025-12-11
CVE-2025-55184 [HIGH] Denial of Service Vulnerability in React Server Components
Denial of Service Vulnerability in React Server Components
## Impact
There is a denial of service vulnerability in React Server Components.
React recommends updating immediately.
The vulnerability exists in versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1 of:
- [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)
- [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)
- [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)
These issues are present in the patches published last week.
## Patches
Fixes were back ported to versions 19.0.2, 19.1.3, and 19.2.2.
If you are using any of the above packages please upgrade to any of the fixed versions immediately.
If y
OSV
Next Vulnerable to Denial of Service with Server Components
osv·2025-12-11·CVSS 7.5
CVE-2025-55184 [HIGH] Next Vulnerable to Denial of Service with Server Components
Next Vulnerable to Denial of Service with Server Components
A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184).
A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.
VulnCheck
facebook react Deserialization of Untrusted Data
vulncheck·2025·CVSS 7.5
CVE-2025-55184 [HIGH] facebook react Deserialization of Untrusted Data
facebook react Deserialization of Untrusted Data
A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
Affected: facebook react
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/azure-hosted-scann
Red Hat
next: React Server Components: Denial of Service via unsafe HTTP deserialization
vendor_redhat·2025-12-11·CVSS 7.5
CVE-2025-55184 [HIGH] CWE-502 next: React Server Components: Denial of Service via unsafe HTTP deserialization
next: React Server Components: Denial of Service via unsafe HTTP deserialization
A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
A flaw was found in React Server Components. This vulnerability allows a denial of service via unsafe deserialization of payloads from HTTP (Hypertext Transfer Protocol) requests to Server Function endpoints. A malicious HTTP r
Red Hat
next: React Server Components: Denial of Service via Unsafe Deserialization
vendor_redhat·2025-12-11·CVSS 7.5
CVE-2025-67779 [HIGH] CWE-502 next: React Server Components: Denial of Service via Unsafe Deserialization
next: React Server Components: Denial of Service via Unsafe Deserialization
It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
A flaw was found in React Server Components. This vulnerability allows a denial of service via unsafe deserialization of payloads from HTTP (Hypertext Transfer Protocol) requests to Server Function endpoints. A malicious HTTP request can be crafted and sent to any App Router
No detection rules found.
Nuclei
React Server Components - Denial of Service
nuclei·CVSS 7.5
CVE-2025-55184 [HIGH] React Server Components - Denial of Service
React Server Components - Denial of Service
React Server Components 19.0.0 to 19.2.1 including react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack contain an insecure deserialization vulnerability caused by unsafe payload deserialization in Server Function endpoints, letting unauthenticated attackers cause denial of service by hanging the server process.
Template:
id: CVE-2025-55184
info:
name: React Server Components - Denial of Service
author: DhiyaneshDk
severity: high
description: |
React Server Components 19.0.0 to 19.2.1 including react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack contain an insecure deserialization vulnerability caused by unsafe payload deserialization in Server Function endpoints, letting unauthentica
Mandiant
Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)
blogs_mandiant·2025-12-12·CVSS 10.0
CVE-2025-55182 [CRITICAL] Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)
## Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)
## Google Threat Intelligence Group
## Google Threat Intelligence
Visibility and context on the threats that matter most.
Written by: Aragorn Tseng, Robert Weiner, Casey Charrier, Zander Work, Genevieve Stark, Austin Larsen
## Introduction
On Dec. 3, 2025, a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components, tracked as CVE-2025-55182 (aka "React2Shell"), was publicly disclosed. Shortly after disclosure, Google Threat Intelligence Group (GTIG) had begun observing widespread exploitation across many threat clusters, ranging from opportunistic cyber crime actors to suspected espionage groups.
GTIG has identified distinct campaigns leveraging this vulnerability to deploy a MINOCAT
Mandiant
Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)
blogs_mandiant·2025-12-12·CVSS 10.0
CVE-2025-55182 [CRITICAL] Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)
Threat Intelligence
# Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)
December 12, 2025
##### Google Threat Intelligence Group
##### Google Threat Intelligence
Visibility and context on the threats that matter most.
Contact Us & Get a Demo
Written by: Aragorn Tseng, Robert Weiner, Casey Charrier, Zander Work, Genevieve Stark, Austin Larsen
### Introduction
On Dec. 3, 2025, a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components, tracked as CVE-2025-55182 (aka "React2Shell"), was publicly disclosed. Shortly after disclosure, Google Threat Intelligence Group (GTIG) had begun observing widespread exploitation across many threat clusters, ranging from opportunistic cyber crime actors to suspected espionage groups.
GTIG has identifie
Zscaler
React2Shell RCE Vulnerability (CVE-2025-55182) | ThreatLabz
blogs_zscaler·2025-12-08·CVSS 10.0
[CRITICAL] React2Shell RCE Vulnerability (CVE-2025-55182) | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Wiz
CVE-2025-67779 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2025-67779 [CRITICAL] CVE-2025-67779 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67779 :
React Server Components vulnerability analysis and mitigation
It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
Source : NVD
## 7.5
Score
Published December 12, 2025
Severity HIGH
CNA Score 7.5
High-profile Vulnerability Yes
Affected Technologies
React Server Components
Next.js
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Da
Wiz
GHSA-5j59-xgg2-r9c4 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-55184 [HIGH] GHSA-5j59-xgg2-r9c4 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-5j59-xgg2-r9c4 :
Next.js vulnerability analysis and mitigation
It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.
This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779 .
A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustaine
Wiz
GHSA-mwv6-3258-q52c Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-55184 [HIGH] GHSA-mwv6-3258-q52c Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-mwv6-3258-q52c :
Next.js vulnerability analysis and mitigation
A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184 .
A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.
Source : NVD
## 7.5
Score
Published December 11, 2025
Severity HIGH
CNA Score N/A
Affected Technologies
Next.js
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Prob
Wiz
CVE-2025-55183 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2025-55183 [CRITICAL] CVE-2025-55183 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-55183 :
React Server Components vulnerability analysis and mitigation
An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.
Source : NVD
## 5.3
Score
Published December 11, 2025
Severity MEDIUM
CNA Score 5.3
High-profile Vulnerability Yes
Affected Technologies
React Server Components
Next.js
Ha
Wiz
CVE-2025-55184 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2025-55184 [CRITICAL] CVE-2025-55184 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-55184 :
React Server Components vulnerability analysis and mitigation
A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
Source : NVD
## 7.5
Score
Published December 11, 2025
Severity HIGH
CNA Score 7.5
High-profile Vulnerability Yes
Affected Technologies
React Server Components
Next.js
Has Public Exploit Yes
Has CISA KEV Exploit N
Wiz
CVE-2026-23864 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-23864 [CRITICAL] CVE-2026-23864 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23864 :
React Server Components vulnerability analysis and mitigation
Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack.
The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.
Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components.
Source : NVD
## 7.5
Score
Published January 26, 2026
Severity HIGH
2025-12-11
Published
Exploited in the wild