CVE-2026-23864

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

M

ultiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code. Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components.

References

Link	Resource
https://www.facebook.com/security/advisories/cve-2026-23864	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:facebook:react::::::::
	cpe:2.3:a:facebook:react::::::::
	cpe:2.3:a:facebook:react::::::::

History

13 Feb 2026, 15:23

Type	Values Removed	Values Added
First Time		Facebook react Facebook
References	~~() https://www.facebook.com/security/advisories/cve-2026-23864 -~~	() https://www.facebook.com/security/advisories/cve-2026-23864 - Vendor Advisory
CPE		cpe:2.3:a:facebook:react::::::::

26 Jan 2026, 21:15

Type	Values Removed	Values Added
CWE		CWE-400 CWE-502
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

26 Jan 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-26 20:16

Updated : 2026-02-13 15:23

NVD link : CVE-2026-23864

Mitre link : CVE-2026-23864

CVE.ORG link : CVE-2026-23864

JSON object : View

Products Affected

react

CWE

CWE-400

Uncontrolled Resource Consumption

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2026-23864", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-01-26T20:16:16.773", "references": [{"url": "https://www.facebook.com/security/advisories/cve-2026-23864", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack.\n\nThe vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.\n\nStrongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components."}], "lastModified": "2026-02-13T15:23:05.013", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0F93D6DB-994E-428D-970C-D50737B628CF", "versionEndExcluding": "19.0.4", "versionStartIncluding": "19.0.0"}, {"criteria": "cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2151CF1A-4E87-421E-9714-3AA87639FD6B", "versionEndExcluding": "19.1.5", "versionStartIncluding": "19.1.0"}, {"criteria": "cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9FC73AD9-7EA4-4789-B75B-DC1FFF6F66AF", "versionEndExcluding": "19.2.4", "versionStartIncluding": "19.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}