Incomplete Fix: High-Severity React Server Components DoS Flaw (CVE-2026-23864)

The team behind React, the JavaScript library that powers a vast swath of the modern web, has issued an urgent security advisory warning that previous attempts to patch a Denial of Service (DoS) vulnerability were “incomplete.” A new high-severity flaw, tracked as CVE-2026-23864, has been discovered in React Server Components, leaving applications vulnerable to crashes and resource exhaustion.

With a CVSS score of 7.5, the vulnerability highlights the growing pains of adopting server-side rendering technologies in the JavaScript ecosystem.

The initial safeguards put in place to stop DoS attacks didn’t fully close the door. “It was found that the fixes to address DoS in React Server Components were incomplete and we found multiple denial of service vulnerabilities still exist,” the advisory states.

The vulnerability targets the core mechanism of how React handles server-side logic. By sending “specially crafted HTTP requests to Server Function endpoints,” an attacker can trigger a cascade of resource consumption.

Depending on the specific configuration and code path, this traffic can lead to “server crashes, out-of-memory exceptions or excessive CPU usage,” effectively knocking the application offline.

The issue is specific to the server-dom packages used by bundlers. The vulnerability affects versions 19.0.0 through 19.2.3 of the following packages:

• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack

The advisory clarifies that “If your app’s React code does not use a server, your app is not affected by this vulnerability”. Traditional client-side Single Page Applications (SPAs) that do not leverage Server Components or Server Functions remain safe.

React developers are strongly urged to update their dependencies immediately to the newly released patched versions.

• For the 19.0.x branch: Upgrade to 19.0.4
• For the 19.1.x branch: Upgrade to 19.1.5
• For the 19.2.x branch: Upgrade to 19.2.4

“We recommend updating immediately,” the React team emphasized, noting that the fixes have been backported to ensure broad coverage across supported versions.

Related Posts:

• CVE-2024-0132: Incomplete NVIDIA Toolkit Patch Enables Container Escape and DoS Attacks
• Catastrophic React Flaw (CVE-2025-55182, CVSS 10.0) Allows Unauthenticated RCE on Next.js and Server Components
• MinIO Urgently Patches High-Severity Incomplete Signature Validation Vulnerability
• CVE-2024-36138: High-Severity Vulnerability in Node.js Allows Code Execution on Windows