React Server Components have been found to have multiple denial of service (DoS) vulnerabilities that impact a number of popular npm packages This article explores vulnerabilities react. . Applications utilizing React Server Components are vulnerable to server crashes, memory exhaustion, and excessive CPU consumption due to the flaws, which were discovered on January 26, 2026.

This has prompted urgent security updates for all affected versions. Details of Critical Vulnerabilities Security experts discovered that earlier fixes for DoS flaws in React Server Components were insufficient, leaving apps vulnerable to fresh attack methods. Three core packages—react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack—are impacted by the vulnerabilities, which can be exploited by sending specially constructed HTTP requests to Server Function endpoints.

Attack Vector CVE-2026-23864 High 7.5 Network CVE ID Severity CVSS Score Malicious requests that can start endless loops and cause server processes to hang and use CPU resources indefinitely are part of the attack mechanism. Attackers can send low-complexity, specially constructed network requests without the need for user interaction or privileges. Although confidentiality and integrity are unaffected, the vulnerability affects system availability.

Packages and Versions Affected Applications that support the React Server Components architecture are still vulnerable even if they do not implement React Server Function endpoints. The vulnerability shows how early remediation efforts failed to address all attack vectors and is an incomplete fix from previous security patches.

Versions Affected by Packages React-server-dom-webpack 19.0.0-19.0.3, 19.1.0-19.1.4, 19.2.0-19.2.3, 19.0.4, 19.1.5, 19.2.4, react-server-dom-parcel 19.0.0-19.0.3, 19.1.0-19.1.4, 19.2.5, and react-server-dom-turbopack 19.0.0-19.0.3, 19.2.4 19.0.4, 19.1.5, and 19.2.4 To fix these serious vulnerabilities, the React team has released emergency security patches. Vulnerable versions 19.0.0 through 19.0.3, 19.1.0 through 19.1.4, and 19.2.0 through 19.2.3 need to be updated right away to the patched versions 19.0.4, 19.1.5, or 19.2.4. Impact of the Framework and Remediation Next.js, React Router, Waku, @parcel/rsc, @vite/rsc-plugin, and rwsdk are among the frameworks and bundlers that are impacted.

Organizations that have already updated to versions 19.0.3, 19.1.4, or 19.2.3 are required to apply new patches because those releases still leave systems vulnerable to exploitation due to incomplete fixes. The React team advises updating to the most recent patched versions right away.

To avoid possible service interruptions, administrators should give updating production environments running React Server Components top priority. These vulnerabilities do not affect or necessitate updates for applications that do not use server-side React code or React Server Components. The revelation emphasizes how difficult it is to secure contemporary JavaScript frameworks and how crucial it is to conduct extensive security testing before applying patches.

All React Server Component packages should be updated to the most recent secure versions, and development teams should examine their dependency chains.