CVE-2026-23864
BaseFortify
Publication date: 2026-01-26
Last updated on: 2026-02-13
Assigner: Facebook, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| react | From 19.0.0 (inc) to 19.0.4 (exc) | |
| react | From 19.1.0 (inc) to 19.1.5 (exc) | |
| react | From 19.2.0 (inc) to 19.2.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves multiple denial of service issues in React Server Components, specifically in the packages react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerabilities can be triggered by sending specially crafted HTTP requests to Server Function endpoints, which may cause server crashes, out-of-memory exceptions, or excessive CPU usage depending on the code path, application configuration, and code.
How can this vulnerability impact me? :
The impact of this vulnerability includes potential denial of service conditions such as server crashes, out-of-memory exceptions, and excessive CPU usage. These issues can lead to application unavailability and degraded performance, affecting the reliability and stability of applications using React Server Components.
What immediate steps should I take to mitigate this vulnerability?
Strongly consider upgrading to the latest package versions of react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack to reduce risk and prevent availability issues caused by these denial of service vulnerabilities.