Multiple critical security vulnerabilities have recently been disclosed in React Server Components, enabling threat actors to launch Denial-of-Service (DoS) attacks against vulnerable servers.
The flaws, tracked as CVE-2026-23864 with a CVSS score of 7.5, are due to incomplete patches from previous security fixes and require immediate remediation.
Security researchers discovered additional attack vectors during testing the effectiveness of previous patches, demonstrating that multiple DoS vulnerabilities persist in the framework.
Vulnerability Details
The vulnerabilities affect three npm packages that handle React Server Components: react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.
Attackers can exploit these flaws by sending specially crafted HTTP requests to Server Function endpoints, triggering server crashes, out-of-memory exceptions, or excessive CPU consumption.
| CVE ID | CVSS Score | Vulnerability Type | Affected Packages |
|---|---|---|---|
| CVE-2026-23864 | 7.5 | Denial of Service (DoS) | react-server-dom-parcel |
| CVE-2026-23864 | 7.5 | Denial of Service (DoS) | react-server-dom-turbopack |
| CVE-2026-23864 | 7.5 | Denial of Service (DoS) | react-server-dom-webpack |
The severity and impact of exploitation depend on the specific vulnerable code path being exercised, the application configuration, and the underlying application code.
Organizations using React frameworks and bundlers, such as Next.js, React Router, Waku, @parcel/rsc, @vite/rsc-plugin, and rwsdk, are exposed to these vulnerabilities.
The disclosure follows a pattern typical in critical vulnerability management, where initial patches are scrutinized by security researchers who probe adjacent code paths for bypass techniques.
This iterative process, while sometimes frustrating, represents a healthy security response cycle similar to what occurred after the Log4Shell vulnerability.
Affected Versions and Patches
| Package Versions Affected | Patched Version |
|---|---|
| 19.0.0 – 19.0.3 | 19.0.4 |
| 19.1.0 – 19.1.4 | 19.1.5 |
| 19.2.0 – 19.2.3 | 19.2.4 |
Applications that do not use React Server Components or server-side React code remain unaffected by these vulnerabilities.
Similarly, applications without a framework, a bundler, or a bundler plugin that supports React Server Components face no risk.
| Environment | Update These Packages | Do NOT Update |
|---|---|---|
| React Native (Monorepo) | react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack | react, react-dom |
According to the advisory published, React Native users operating in monorepo environments should update :
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
