CVE-2026-23864

Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code. Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*
cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*
cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*

History

03 Jul 2026, 13:17

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2026:34608 -

30 Jun 2026, 03:17

Type Values Removed Values Added
CWE CWE-1284
References
  • () https://access.redhat.com/errata/RHSA-2026:13571 -
  • () https://access.redhat.com/security/cve/CVE-2026-23864 -
  • () https://bugzilla.redhat.com/show_bug.cgi?id=2433059 -
  • () https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-23864.json -

17 Jun 2026, 10:22

Type Values Removed Values Added
Summary
  • (es) Múltiples vulnerabilidades de denegación de servicio existen en los Componentes de Servidor de React, afectando los siguientes paquetes: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. Las vulnerabilidades se activan al enviar solicitudes HTTP especialmente diseñadas a los puntos finales de las Funciones de Servidor, y podrían provocar caídas del servidor, excepciones por falta de memoria o uso excesivo de CPU; dependiendo de la ruta de código vulnerable que se esté ejecutando, la configuración de la aplicación y el código de la aplicación. Considere encarecidamente actualizar a las últimas versiones de los paquetes para reducir el riesgo y prevenir problemas de disponibilidad en aplicaciones que utilizan Componentes de Servidor de React.

13 Feb 2026, 15:23

Type Values Removed Values Added
First Time Facebook
Facebook react
CPE cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*
References () https://www.facebook.com/security/advisories/cve-2026-23864 - () https://www.facebook.com/security/advisories/cve-2026-23864 - Vendor Advisory

26 Jan 2026, 21:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
CWE CWE-502
CWE-400

26 Jan 2026, 20:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-01-26 20:16

Updated : 2026-07-15 02:18


NVD link : CVE-2026-23864

Mitre link : CVE-2026-23864

CVE.ORG link : CVE-2026-23864


JSON object : View

Products Affected

facebook

  • react
CWE
CWE-400

Uncontrolled Resource Consumption

CWE-502

Deserialization of Untrusted Data

CWE-1284

Improper Validation of Specified Quantity in Input