CVE-2026-23864

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-23864
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23864.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-23864
Aliases
Published
2026-01-26T20:16:16.773Z
Modified
2026-03-13T04:09:43.791051Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack.

The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.

Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components.

References

Affected packages

Git / github.com/facebook/react

Affected ranges

Type
GIT
Repo
https://github.com/facebook/react
Events
Introduced
7aa5dda3b3e4c2baa905a59b922ae7ec14734b24
Fixed
7806ec2fe17f1813d9b77b4ee0510ad9c3672c8e
Introduced
4a9df08157f001c01b078d259748512211233dcf
Fixed
4045752491b1a839a30ae561364054a6fb93fbcc
Introduced
ae74234eae6ebd62f19190731278e20bc1c37d51
Fixed
90ab3f89f4824ac763b6f877c6f711200d1338d2
Database specific 
{
    "versions": [
        {
            "introduced": "19.0.0"
        },
        {
            "fixed": "19.0.4"
        },
        {
            "introduced": "19.1.0"
        },
        {
            "fixed": "19.1.5"
        },
        {
            "introduced": "19.2.0"
        },
        {
            "fixed": "19.2.4"
        }
    ]
}

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23864.json"