CVE-2026-23864
HIGH
GHSA-83fc-fqcc-2hmg
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Tags
Description
Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code. Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components.
Analysis
Uncontrolled resource consumption in React Server Components (react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack) allows unauthenticated remote attackers to trigger denial of service through malformed requests to Server Function endpoints, causing server crashes, memory exhaustion, or CPU spikes. Applications using these packages are at risk of availability disruption. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all applications using affected React Server Components packages and assess exposure. Within 7 days: Implement network-level rate limiting and request throttling on affected services; evaluate temporary feature restrictions if feasible. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today