CVE-2026-23864_CVE-2026-23864

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack.

The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.

Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components.

Basic Information

ID CVE-2026-23864

Source Meta

Published Jan 26, 2026 at 19:16

Modified Jan 26, 2026 at 20:26

Affected Product

Vendor Meta

Product react-server-dom-webpack

Version 19.0.0

Affected Versions Meta react-server-dom-webpack 19.0.0
Meta react-server-dom-webpack 19.1.0
Meta react-server-dom-webpack 19.2.0
Meta react-server-dom-turbopack 19.0.0
Meta react-server-dom-turbopack 19.1.0
Meta react-server-dom-turbopack 19.2.0
Meta react-server-dom-parcel 19.0.0
Meta react-server-dom-parcel 19.1.0
Meta react-server-dom-parcel 19.2.0

CWE Classification

CWE-502 CWE-400

References

www.facebook.com /security/advisories/cve-2026-23864

{
    "lastseen": "",
    "description": "Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack.\n\nThe vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.\n\nStrongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components.",
    "published": "2026-01-26T19:16:38.250Z",
    "modified": "2026-01-26T20:26:45.709Z",
    "type": "cve",
    "title": "CVE-2026-23864",
    "source": "Meta",
    "references": "https://www.facebook.com/security/advisories/cve-2026-23864",
    "id": "CVE-2026-23864",
    "bulletinFamily": "",
    "cwe": [
        "CWE-502",
        "CWE-400"
    ],
    "cvelist": null,
    "sourceData": "Meta react-server-dom-webpack 19.0.0\nMeta react-server-dom-webpack 19.1.0\nMeta react-server-dom-webpack 19.2.0\nMeta react-server-dom-turbopack 19.0.0\nMeta react-server-dom-turbopack 19.1.0\nMeta react-server-dom-turbopack 19.2.0\nMeta react-server-dom-parcel 19.0.0\nMeta react-server-dom-parcel 19.1.0\nMeta react-server-dom-parcel 19.2.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "react-server-dom-webpack",
    "version": "19.0.0",
    "vendor": "Meta",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}