Threat actors can now launch Denial-of-Service (DoS) attacks against susceptible servers thanks to a number of serious security flaws in React Server Components This article explores server components vulnerabilities. . Due to incomplete patches from earlier security fixes, the vulnerabilities—tracked as CVE-2026-23864 with a CVSS score of 7.5—need to be fixed right away.

While evaluating the efficacy of earlier patches, security researchers found more attack vectors, proving that the framework still has several DoS vulnerabilities. Details of the Vulnerability Three npm packages—react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack—that manage React Server Components are vulnerable. By sending specially constructed HTTP requests to Server Function endpoints, attackers can take advantage of these vulnerabilities and cause server crashes, out-of-memory exceptions, or excessive CPU usage.

Vulnerability Type Affected Packages CVE-2026-23864 7.5 CVE ID CVSS Score React-server-dom-parcel CVE-2026-23864 7.5 Denial of Service (DoS) React-server-dom-turbopack CVE-2026-23864 7.5 Denial of Service (DoS) React-server-dom-webpack denial of service (DoS) The particular vulnerable code path being exploited, the application configuration, and the underlying application code all affect how serious and impactful the exploitation is. These vulnerabilities affect organizations that use React frameworks and bundlers, including Next.js, React Router, Waku, @parcel/rsc, @vite/rsc-plugin, and rwsdk. The disclosure adheres to a standard procedure in critical vulnerability management, in which security researchers examine early patches and search nearby code paths for ways to get around them.

Even though it can be annoying at times, this iterative process is a good security response cycle, much like what happened following the Log4Shell vulnerability.

Versions and Patches Affected: 19.0.0–19.0.3 19.0.4 19.1.0–19.1.4 19.1.5 19.2.0–19.2.3 19.2.4 Applications without server-side or React Server Components These vulnerabilities don't affect React code. Similarly, there is no risk for applications that do not have a framework, a bundler, or a bundler plugin that supports React Server Components. Update on the Environment These Packages React Native (Monorepo) react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack react, and react-dom should not be updated.

React Native users working in monorepo environments are advised to update X, LinkedIn, and LinkedIn for daily cybersecurity updates. To have your stories featured, get in touch with us.