CVE-2026-23864

HIGH 7.5

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code. Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components.

Vendor	meta
Product	react-server-dom-webpack
Published	Jan 26, 2026
Last Updated	Jun 30, 2026

Stay Ahead of the Next One

Get instant alerts for meta react-server-dom-webpack

Be the first to know when new high vulnerabilities affecting meta react-server-dom-webpack are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Meta / react-server-dom-webpack

19.0.0 < 19.0.4 19.1.0 < 19.1.5 19.2.0 < 19.2.4

Meta / react-server-dom-turbopack

19.0.0 < 19.0.4 19.1.0 < 19.1.5 19.2.0 < 19.2.4

Meta / react-server-dom-parcel

19.0.0 < 19.0.4 19.1.0 < 19.1.5 19.2.0 < 19.2.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

facebook.com: https://www.facebook.com/security/advisories/cve-2026-23864 access.redhat.com: https://access.redhat.com/security/cve/CVE-2026-23864 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2433059 security.access.redhat.com: https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-23864.json access.redhat.com: https://access.redhat.com/errata/RHSA-2026:13571