CVE-2026-23864
published 2026-01-26CVE-2026-23864: Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel…
PriorityP348high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
2.33%
81.4th percentile
Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack.
The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.
Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components.
Affected
30 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| react | >= 19.0.0 < 19.0.4 | 19.0.4 | |
| react | >= 19.1.0 < 19.1.5 | 19.1.5 | |
| react | >= 19.2.0 < 19.2.4 | 19.2.4 | |
| meta | react-server-dom-parcel | >= 19.0.0 < 19.0.4 | 19.0.4 |
| meta | react-server-dom-parcel | >= 19.0.0 < 19.0.4 | 19.0.4 |
| meta | react-server-dom-parcel | >= 19.1.0 < 19.1.5 | 19.1.5 |
| meta | react-server-dom-parcel | >= 19.1.0-canary-7130d0c6-20241212 < 19.1.5 | 19.1.5 |
| meta | react-server-dom-parcel | >= 19.2.0 < 19.2.4 | 19.2.4 |
| meta | react-server-dom-parcel | >= 19.2.0-canary-63779030-20250328 < 19.2.4 | 19.2.4 |
| meta | react-server-dom-turbopack | >= 19.0.0 < 19.0.4 | 19.0.4 |
| meta | react-server-dom-turbopack | >= 19.0.0 < 19.0.4 | 19.0.4 |
| meta | react-server-dom-turbopack | >= 19.1.0 < 19.1.5 | 19.1.5 |
| meta | react-server-dom-turbopack | >= 19.1.0-canary-7130d0c6-20241212 < 19.1.5 | 19.1.5 |
| meta | react-server-dom-turbopack | >= 19.2.0 < 19.2.4 | 19.2.4 |
| meta | react-server-dom-turbopack | >= 19.2.0-canary-63779030-20250328 < 19.2.4 | 19.2.4 |
| meta | react-server-dom-webpack | >= 19.0.0 < 19.0.4 | 19.0.4 |
| meta | react-server-dom-webpack | >= 19.0.0 < 19.0.4 | 19.0.4 |
| meta | react-server-dom-webpack | >= 19.1.0 < 19.1.5 | 19.1.5 |
| meta | react-server-dom-webpack | >= 19.1.0-canary-7130d0c6-20241212 < 19.1.5 | 19.1.5 |
| meta | react-server-dom-webpack | >= 19.2.0 < 19.2.4 | 19.2.4 |
| meta | react-server-dom-webpack | >= 19.2.0-canary-63779030-20250328 < 19.2.4 | 19.2.4 |
| next | next | >= 13.0.0 < 15.0.8 | 15.0.8 |
| next | next | >= 15.1.1-canary.0 < 15.1.12 | 15.1.12 |
| next | next | >= 15.2.0-canary.0 < 15.2.9 | 15.2.9 |
| next | next | >= 15.3.0-canary.0 < 15.3.9 | 15.3.9 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Meta react-server-dom-webpack up to 19.0.3/19.1.4/19.2.3 React Server deserialization
vuldb·2026-06-30·CVSS 7.5
CVE-2026-23864 [HIGH] Meta react-server-dom-webpack up to 19.0.3/19.1.4/19.2.3 React Server deserialization
A vulnerability was found in Meta react-server-dom-webpack, react-server-dom-turbopack and react-server-dom-parcel up to 19.0.3/19.1.4/19.2.3. It has been declared as critical. This affects an unknown part of the component React Server Component. The manipulation results in deserialization.
This vulnerability is cataloged as CVE-2026-23864. The attack may be launched remotely. There is no exploit available.
It is recommended to upgrade the affected component.
GHSA
React Server Components have multiple Denial of Service Vulnerabilities
ghsa·2026-01-29
CVE-2026-23864 [HIGH] CWE-400 React Server Components have multiple Denial of Service Vulnerabilities
React Server Components have multiple Denial of Service Vulnerabilities
## Impact
It was found that the fixes to address DoS in React Server Components were incomplete and we found multiple denial of service vulnerabilities still exist in React Server Components.
We recommend updating immediately.
The vulnerability exists in versions 19.0.0, 19.0.1, 19.0.2, 19.0.3, 19.1.0, 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.2.0, 19.2.1, 19.2.2, 19.2.3 of:
- [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)
- [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)
- [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)
The vulnerabilities are triggered by sending specially crafted HTTP requests
OSV
React Server Components have multiple Denial of Service Vulnerabilities
osv·2026-01-29
CVE-2026-23864 [HIGH] React Server Components have multiple Denial of Service Vulnerabilities
React Server Components have multiple Denial of Service Vulnerabilities
## Impact
It was found that the fixes to address DoS in React Server Components were incomplete and we found multiple denial of service vulnerabilities still exist in React Server Components.
We recommend updating immediately.
The vulnerability exists in versions 19.0.0, 19.0.1, 19.0.2, 19.0.3, 19.1.0, 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.2.0, 19.2.1, 19.2.2, 19.2.3 of:
- [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)
- [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)
- [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)
The vulnerabilities are triggered by sending specially crafted HTTP requests
GHSA
Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components
ghsa·2026-01-28·CVSS 7.5
CVE-2026-23864 [HIGH] CWE-400 Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components
Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components
A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as [CVE-2026-23864](https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg).
A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.
OSV
Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components
osv·2026-01-28·CVSS 7.5
CVE-2026-23864 [HIGH] Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components
Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components
A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as [CVE-2026-23864](https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg).
A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.
Red Hat
react-server-dom-webpack: react-server-dom-parcel: reactreact-server-dom-turbopack: React Server Components: Denial of Service via specially crafted HTTP requests
vendor_redhat·2026-01-26·CVSS 7.5
CVE-2026-23864 [HIGH] CWE-1284 react-server-dom-webpack: react-server-dom-parcel: reactreact-server-dom-turbopack: React Server Components: Denial of Service via specially crafted HTTP requests
react-server-dom-webpack: react-server-dom-parcel: reactreact-server-dom-turbopack: React Server Components: Denial of Service via specially crafted HTTP requests
Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack.
The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.
Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Componen
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
blogs_hackernews·2026-05-11·CVSS 9.3
CVE-2026-6973 [CRITICAL] ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Rough Monday.
Somebody poisoned a trusted download again, somebody else turned cloud servers into public housing, and a few crews are still getting into boxes with bugs that should’ve died years ago — the same old holes, same lazy access paths, same “how the hell is this still open” feeling. One report this week basically reads like a guy tripped over root access by accident and decided to stay there.
The weird part is how normal this all sounds now. Fake updates. Quiet backdoors. Remote tools are used like skeleton keys. Forum rats swapping st
Wiz
CVE-2025-67779 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2025-67779 [CRITICAL] CVE-2025-67779 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67779 :
React Server Components vulnerability analysis and mitigation
It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
Source : NVD
## 7.5
Score
Published December 12, 2025
Severity HIGH
CNA Score 7.5
High-profile Vulnerability Yes
Affected Technologies
React Server Components
Next.js
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Da
Wiz
CVE-2025-55183 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2025-55183 [CRITICAL] CVE-2025-55183 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-55183 :
React Server Components vulnerability analysis and mitigation
An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.
Source : NVD
## 5.3
Score
Published December 11, 2025
Severity MEDIUM
CNA Score 5.3
High-profile Vulnerability Yes
Affected Technologies
React Server Components
Next.js
Ha
Wiz
CVE-2025-55184 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2025-55184 [CRITICAL] CVE-2025-55184 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-55184 :
React Server Components vulnerability analysis and mitigation
A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
Source : NVD
## 7.5
Score
Published December 11, 2025
Severity HIGH
CNA Score 7.5
High-profile Vulnerability Yes
Affected Technologies
React Server Components
Next.js
Has Public Exploit Yes
Has CISA KEV Exploit N
Wiz
CVE-2026-23864 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-23864 [CRITICAL] CVE-2026-23864 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23864 :
React Server Components vulnerability analysis and mitigation
Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack.
The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.
Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components.
Source : NVD
## 7.5
Score
Published January 26, 2026
Severity HIGH
Bugzilla
CVE-2026-23864 react-server-dom-webpack: react-server-dom-parcel: reactreact-server-dom-turbopack: React Server Components: Denial of Service via specially crafted HTTP requests
bugzilla·2026-01-26·CVSS 7.5
CVE-2026-23864 [HIGH] CVE-2026-23864 react-server-dom-webpack: react-server-dom-parcel: reactreact-server-dom-turbopack: React Server Components: Denial of Service via specially crafted HTTP requests
CVE-2026-23864 react-server-dom-webpack: react-server-dom-parcel: reactreact-server-dom-turbopack: React Server Components: Denial of Service via specially crafted HTTP requests
Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack.
The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.
Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using Reac
2026-01-26
Published