CVE-2026-23864
Modified
Modified - Updated After Analysis
BaseFortify
Vulnerability report for CVE-2026-23864, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-01-26
Last updated on: 2026-07-03
Assigner: Facebook, Inc.
Description
Description
Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack.
The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.
Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| react | From 19.0.0 (inc) to 19.0.4 (exc) | |
| react | From 19.1.0 (inc) to 19.1.5 (exc) | |
| react | From 19.2.0 (inc) to 19.2.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
| CWE-1284 | The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties. |