Link to headingSummary
Multiple high-severity vulnerabilities in React Server Components were responsibly disclosed. Importantly, these vulnerabilities do not allow for Remote Code Execution.
We created new rules to address these vulnerabilities and deployed them to the Vercel WAF to automatically protect all projects hosted on Vercel at no cost. However, do not rely on the WAF for full protection. Immediate upgrades to a patched version are required.
Link to headingImpact
Link to headingReact CVE-2026-23864 (CVSS 7.5)
CVE-2026-23864 addresses multiple denial of service vulnerabilities in React Server Components. The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.
These vulnerabilities are present in versions 19.0.x, 19.1.x, and 19.2.x of the following packages:
react-server-dom-parcelreact-server-dom-webpackreact-server-dom-turbopack
These packages are included in the following frameworks and bundlers:
Next.js: 13.x, 14.x, 15.x, and 16.x.
Other frameworks and plugins that embed or depend on React Server Components implementation (e.g., Vite, Parcel, React Router, RedwoodSDK, Waku)
Link to headingResolution
After creating mitigations to address this vulnerability, we deployed them across our globally-distributed platform to protect our customers. We still recommend upgrading to the latest patched version.
Updated releases of React and affected downstream frameworks include fixes to prevent this issue. All users should upgrade to a patched version as soon as possible.
Link to headingFixed in
React: 19.0.4, 19.1.5, 19.2.4.
Next.js: 15.0.8, 15.1.12, 15.2.9, 15.3.9, 15.4.11, 15.5.10, 15.6.0-canary.61, 16.0.11, 16.1.5, 16.2.0-canary.9
Frameworks and bundlers using the aforementioned packages should install the latest versions provided by their respective maintainers.
Link to headingCredit
We thank Mufeed VH from Winfunc Research, Joachim Viide, RyotaK from GMO Flatt Security and Xiangwei Zhang of Tencent Security YUNDING LAB for their responsible disclosure.