Skip to main content

React CVE-2026-23864

HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-01-26 cve-assign@fb.com GHSA-83fc-fqcc-2hmg
7.5
CVSS 3.1 · Vendor: fb
Share

Severity by source

Vendor (fb) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (fb).

CVSS VectorVendor: fb

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 22:00 vuln.today
CVE Published
Jan 26, 2026 - 20:16 nvd
HIGH 7.5

DescriptionCVE.org

Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack.

The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.

Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components.

AnalysisAI

Uncontrolled resource consumption in React Server Components (react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack) allows unauthenticated remote attackers to trigger denial of service through malformed requests to Server Function endpoints, causing server crashes, memory exhaustion, or CPU spikes. Applications using these packages are at risk of availability disruption. No patch is currently available; immediate mitigation and monitoring are recommended.

Technical ContextAI

Classified as CWE-400 (Uncontrolled Resource Consumption). Affects the React Server component of React. Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack.

The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.

Strongly co

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

More in React

View all
CVE-2025-55182 CRITICAL POC
10.0 Dec 03

React Server Components in React 19.x contain a critical pre-authentication remote code execution vulnerability (CVE-202

CVE-2025-45001 HIGH POC
7.5 Jun 09

react-native-keys version 0.7.11 contains a sensitive information disclosure vulnerability where encryption ciphers and

CVE-2026-22028 MEDIUM POC
6.1 Jan 08

HTML injection in Preact and React through unsafe JSON deserialization allows remote attackers to inject arbitrary scrip

CVE-2026-27612 MEDIUM POC
6.1 Feb 25

Reflected XSS in Repostat's RepoCard React component prior to version 1.0.1 allows attackers to execute arbitrary JavaSc

CVE-2026-1461 MEDIUM
6.5 Feb 19

Simple Membership (WordPress plugin) versions up to 4.7.0 contains a security vulnerability (CVSS 6.5).

CVE-2025-68470 MEDIUM
6.5 Jan 10

React-Router versions up to 6.30.1 is affected by url redirection to untrusted site (open redirect) (CVSS 6.5).

CVE-2026-30847 MEDIUM
6.5 Mar 06

Wekan is an open source kanban tool built with Meteor. [CVSS 6.5 MEDIUM]

CVE-2026-22030 MEDIUM
6.5 Jan 10

React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. [CVSS 6.5 MEDIUM]

CVE-2018-6341 MEDIUM
6.1 Dec 31

React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names a

CVE-2026-29613 MEDIUM
5.9 Mar 05

Openclaw versions up to 2026.2.12 is affected by missing authentication for critical function (CVSS 5.9).

CVE-2025-14969 MEDIUM
4.3 Jan 26

A flaw was found in Hibernate Reactive. When an HTTP endpoint is exposed to perform database operations, a remote client

CVE-2026-28194 MEDIUM
4.3 Feb 25

Teamcity versions up to 2025.11.3 is affected by url redirection to untrusted site (open redirect) (CVSS 4.3).

Vendor StatusVendor

Share

CVE-2026-23864 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy