Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Denial of Service in React Server Components Server Function endpoints

IdentifiersCVE-2026-23864CWE-400· Uncontrolled Resource Consumption

CVE-2026-23864 is a high-severity denial-of-service vulnerability affecting React Server Components, specifically the packages react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack in vulnerable 19.0.x, 19.1.x, and 19.2.x release lines. The issue is triggered when a specially crafted HTTP request is sent to a Server Function endpoint and processed through vulnerable request deserialization paths. Depending on the exercised code path, application configuration, and application code, the malformed input can cause excessive CPU consumption, out-of-memory exceptions, or outright server crashes. The issue also affects downstream frameworks that embed these packages, including Next.js App Router deployments.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can deny availability of the targeted application by exhausting server resources or crashing the process. Observed outcomes described in the source material include excessive CPU usage, out-of-memory conditions, and server crashes. In downstream deployments such as Next.js App Router applications, repeated crafted requests to exposed Server Function endpoints can render the service unavailable. The available information indicates availability impact only; no confidentiality or integrity impact is described.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure of Server Function endpoints, especially App Router Server Function endpoints in Next.js, and apply compensating controls such as request filtering, rate limiting, WAF protections, and resource monitoring to limit denial-of-service impact. Vercel states it deployed WAF rules for hosted projects, but such protections should not be treated as a substitute for upgrading. Applications that do not use server-side React Server Components or Server Functions are not affected.

Remediation

Patch, then assume compromise.

Upgrade affected React Server Components packages to patched releases. The content identifies fixed React versions as 19.0.4, 19.1.5, and 19.2.4 for the affected react-server-dom-* packages. For downstream Next.js deployments using the App Router, upgrade to a patched Next.js release identified by the vendor, including 15.0.8, 15.1.12, 15.2.9, 15.3.9, 15.4.11, 15.5.10, 15.6.0-canary.61, 16.0.11, 16.1.5, or later fixed versions in the supported branch. Frameworks and bundlers that depend on the vulnerable packages should also be updated to maintainer-provided fixed releases.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Meta PlatformsReactapplication
Meta PlatformsReact-Server-Dom-Parcelapplication
Meta PlatformsReact-Server-Dom-Turbopackapplication
Meta PlatformsReact-Server-Dom-Webpackapplication
VercelNext.Jsapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

40 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

40 SOURCESView more in app
zeropath blogNews
May 6, 2026
Brief Summary: CVE-2026-23870 Denial of Service in React Server Components via Crafted HTTP Requests - ZeroPath Blog | ZeroPath

An earlier denial of service vulnerability in the React Server Components advisory chain, noted as additional DoS cases discovered after incomplete original fixes.

Read more
zeropath blogNews
Apr 8, 2026
Brief Summary: React Server Components DoS via Crafted Deserialization in CVE-2026-23869 - ZeroPath Blog | ZeroPath

An earlier denial-of-service vulnerability in React Server Components whose initial fix was incomplete, leaving systems exposed to the follow-up issue CVE-2026-23869.

Read more
the hacker newsNews
Feb 2, 2026
⚡ Weekly Recap: Proxy Botnet, Office Zero-Day, MongoDB Ransoms, AI Hijacks & New Threats

Unknown (listed as a trending CVE affecting React Server Components; no technical details provided in the content).

Read more
security online infoNews
Jan 27, 2026
Incomplete Fix: High-Severity React Server Components DoS Flaw (CVE-2026-23864)

A high-severity denial-of-service vulnerability in React Server Components/Server Functions (server-dom packages) where crafted HTTP requests can cause resource exhaustion (CPU/memory) and crash the server.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity29

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-23864
NVD
nvd.nist.gov/vuln/detail/CVE-2026-23864
MITRE CWE · CWE-400
Uncontrolled Resource Consumption
Vendor Advisory
facebook.com/security/advisories/cve-2026-23864