VDB
CVE-2026-23864
CVE-2026-23864
PUBLISHED
CVSS 9.300000190734863 CRITICAL
React Server Components have multiple Denial of Service Vulnerabilities
EPSS 1.98% · 83.9th percentile
Risk Scores
CVSS v4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
EPSS Score
1.98%
83.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Meta | react-server-dom-parcel | 19.2.0, 19.1.0, 19.0.0 |
| react | 19.1.0, 19.2.0, 19.1.0 | |
| Meta | react-server-dom-webpack | 19.0.0, 19.2.0, 19.1.0 |
| npm | react-server-dom-parcel | 19.1.0-canary-7130d0c6-20241212, 19.2.0-canary-63779030-20250328, 19.0.0 |
| npm | react-server-dom-webpack | 19.0.0, 19.2.0-canary-63779030-20250328, 19.1.0-canary-7130d0c6-20241212 |
| npm | react-server-dom-turbopack | 19.1.0-canary-7130d0c6-20241212, 19.0.0, 19.2.0-canary-63779030-20250328 |
| Meta | react-server-dom-turbopack | 19.0.0, 19.2.0, 19.1.0 |
Timeline
- Jan 26, 2026 CVE Published
- Jan 26, 2026 PoC Published
- Jan 26, 2026 PoC Published
- Jan 26, 2026 PoC Published
- Jan 26, 2026 PoC Published
- Jan 26, 2026 PoC Published
- Jan 27, 2026 EPSS Score
- Jan 27, 2026 PoC Published
- Jan 27, 2026 PoC Published
- Jan 27, 2026 PoC Published
- Jan 27, 2026 PoC Published
- Jan 27, 2026 PoC Published
References
- https://www.facebook.com/security/advisories/cve-2026-23864 url
- https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg url
- https://nvd.nist.gov/vuln/detail/CVE-2026-23864 advisory
- https://github.com/facebook/react package
- https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components url