Key Findings:

• React team issued urgent security advisory about incomplete fixes for Denial of Service (DoS) vulnerabilities in React Server Components

• New high-severity flaw CVE-2026-23864 (CVSS 7.5) allows attackers to trigger server crashes, out-of-memory exceptions, or excessive CPU usage via "specially crafted HTTP requests"

• Vulnerability affects React packages using server-side rendering (react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack) in versions 19.0.0 through 19.2.3

• Traditional client-side React apps not using Server Components are not affected

Background

The React JavaScript library powers a significant portion of the modern web. Recently, the React team has been working to introduce server-side rendering capabilities through its "React Server Components" feature. This allows developers to offload more application logic to the server, improving performance and reducing client-side complexity.

Vulnerability Details

The newly disclosed flaw, tracked as CVE-2026-23864, targets the core mechanism of how React handles server-side rendering. By sending "specially crafted HTTP requests to Server Function endpoints," an attacker can trigger a cascade of resource consumption, leading to "server crashes, out-of-memory exceptions or excessive CPU usage."

The issue is specific to the server-dom packages used by bundlers like Webpack, Parcel, and Turbopack. The vulnerability affects versions 19.0.0 through 19.2.3 of the following packages:

• react-server-dom-webpack

• react-server-dom-parcel

• react-server-dom-turbopack

Incomplete Fixes

The React team acknowledged that previous attempts to address DoS vulnerabilities in Server Components were "incomplete." The new flaw highlights the challenges of securing server-side rendering technologies in the JavaScript ecosystem.

Impact and Recommendations

With a CVSS score of 7.5, this vulnerability poses a significant risk to applications using React Server Components. Successful exploitation can lead to application crashes and service disruptions, effectively denying access to legitimate users.

The React team strongly urges developers to update their dependencies immediately to the newly released patched versions:

• For the 19.0.x branch: Upgrade to 19.0.4

• For the 19.1.x branch: Upgrade to 19.1.5

• For the 19.2.x branch: Upgrade to 19.2.4

"We recommend updating immediately," the React team emphasized, noting that the fixes have been backported to ensure broad coverage across supported versions.

Conclusion

The discovery of this high-severity flaw in React Server Components underscores the importance of thorough security auditing and ongoing maintenance for server-side rendering technologies. As the JavaScript ecosystem continues to evolve, developers must remain vigilant and promptly address emerging vulnerabilities to protect their applications and users.

Sources

• https://securityonline.info/incomplete-fix-high-severity-react-server-components-dos-flaw-cve-2026-23864/

• https://securityonline.info/high-severity-dos-flaw-hits-google-protocol-buffers-cve-2026-0994/

• https://x.com/the_yellow_fall/status/2015998840457850890

• https://cyberpress.org/multiple-flaws-in-react-server-components-could-allow-attackers-to-trigger-dos-attacks/