CVE-2026-23864

Name of the Vulnerable Software and Affected Versions React versions 19.0.0 through 19.2.3 react-server-dom-webpack versions 19.0.0 through 19.2.3 react-server-dom-parcel versions 19.0.0 through 19.2.3 react-server-dom-turbopack versions 19.0.0 through 19.2.3 Next.js versions 13.x through 16.x

Description Multiple denial of service vulnerabilities exist in React Server Components. These issues are triggered by sending specially crafted HTTP requests to Server Function endpoints. Exploitation can lead to server crashes, out-of-memory exceptions, or excessive CPU usage, depending on the application configuration and code. The vulnerabilities stem from how the server handles multipart/form-data requests, specifically when decoding responses with tokens like $K<id>. The parser creates a new FormData object for each such token and fully scans the original FormData, leading to memory exhaustion with a large number of tokens. While no remote code execution is possible, the denial of service impact is significant. Cloudflare and Akamai have released WAF rules to mitigate these vulnerabilities.

Recommendations React versions 19.0.0 through 19.2.3: Upgrade to version 19.2.4 or later. react-server-dom-webpack versions 19.0.0 through 19.2.3: Upgrade to version 19.2.4 or later. react-server-dom-parcel versions 19.0.0 through 19.2.3: Upgrade to version 19.2.4 or later. react-server-dom-turbopack versions 19.0.0 through 19.2.3: Upgrade to version 19.2.4 or later. Next.js versions 13.x through 16.x: Upgrade to version 16.0.11 or later.