React Server Component Security Update Advisory (CVE-2026-23864)

Overview

 

We have released a security update to address a vulnerability in React Server Component (RSC). Users of affected products are advised to update to the latest version.
 

 

Affected Products

 

CVE-2026-23864

 

React-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack Versions: 19.0.0 and above 19.0.4 and below 19.0.4
react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack Versions: 19.1.0 or later and 19.1.5 or earlier
react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack Versions: 19.2.0 or later and 19.2.4 or earlier

 

 

Resolved Vulnerabilities

 

Denial of service vulnerability in React Server Components (CVE-2026-23864)

 

 

Vulnerability Patches

Vulnerability patches have been made available in the latest update. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

 

CVE-2026-23864

 

React-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack Version: 19.0.4
react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack Version: 19.1.5
react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack version: 19.2.4

 

 

References

 

[1] cve-2026-23864
https://www.facebook.com/security/advisories/cve-2026-23864
[2] Denial of Service and Source Code Exposure in React Server Components

https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components#high-severity-multiple-denial-of-service