{"id":10166,"date":"2026-01-27T10:03:37","date_gmt":"2026-01-27T10:03:37","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/01\/27\/multiple-vulnerabilities-in-react-server-components-enable-dos-attacks\/"},"modified":"2026-01-27T10:03:37","modified_gmt":"2026-01-27T10:03:37","slug":"multiple-vulnerabilities-in-react-server-components-enable-dos-attacks","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/01\/27\/multiple-vulnerabilities-in-react-server-components-enable-dos-attacks\/","title":{"rendered":"Multiple Vulnerabilities in React Server Components Enable DoS Attacks"},"content":{"rendered":"<p>    Multiple Vulnerabilities in React Server Components Enable DoS Attacks<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Multiple critical security vulnerabilities have recently been disclosed in <a href=\"https:\/\/cybersecuritynews.com\/react-server-components-vulnerabilities\/\" target=\"_blank\" rel=\"noreferrer noopener\">React Server<\/a> Components, enabling threat actors to launch Denial-of-Service (DoS) attacks against vulnerable servers.<\/p>\n<p>The flaws, tracked as CVE-2026-23864 with a CVSS score of 7.5, are due to incomplete patches from previous security fixes and require immediate remediation.<\/p>\n<p>Security researchers discovered additional attack vectors during testing the effectiveness of previous patches, demonstrating that multiple <a href=\"https:\/\/cybersecuritynews.com\/go-1-25-6-and-1-24-12-vulnerabilities\/\" target=\"_blank\" rel=\"noreferrer noopener\">DoS <\/a>vulnerabilities persist in the framework.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-vulnerability-details\"><strong>Vulnerability Details<\/strong><\/h2>\n<p>The vulnerabilities affect three <a href=\"https:\/\/cybersecuritynews.com\/three-malicious-npm-packages-attacking-developers\/\" target=\"_blank\" rel=\"noreferrer noopener\">npm packages<\/a> that handle React Server Components: react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.<\/p>\n<p>Attackers can exploit these flaws by sending specially crafted HTTP requests to Server Function endpoints, triggering server crashes, out-of-memory exceptions, or excessive CPU consumption.<\/p>\n<figure class=\"wp-block-table is-style-stripes\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\"><strong>CVE ID<\/strong><\/th>\n<th class=\"has-text-align-left\" data-align=\"left\"><strong>CVSS Score<\/strong><\/th>\n<th class=\"has-text-align-left\" data-align=\"left\"><strong>Vulnerability Type<\/strong><\/th>\n<th class=\"has-text-align-left\" data-align=\"left\"><strong>Affected Packages<\/strong><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>CVE-2026-23864<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">7.5<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Denial of Service (DoS)<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">react-server-dom-parcel<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>CVE-2026-23864<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">7.5<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Denial of Service (DoS)<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">react-server-dom-turbopack<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>CVE-2026-23864<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">7.5<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Denial of Service (DoS)<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">react-server-dom-webpack<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>The severity and impact of exploitation depend on the specific vulnerable code path being exercised, the application configuration, and the underlying application code.<\/p>\n<p>Organizations using React frameworks and bundlers, such as <a href=\"https:\/\/cybersecuritynews.com\/next-js-released-a-scanner\/\" target=\"_blank\" rel=\"noreferrer noopener\">Next.js<\/a>, React Router, Waku, @parcel\/rsc, @vite\/rsc-plugin, and rwsdk, are exposed to these vulnerabilities.<\/p>\n<p>The disclosure follows a pattern typical in critical vulnerability management, where initial patches are scrutinized by security researchers who probe adjacent code paths for bypass techniques.<\/p>\n<p>This iterative process, while sometimes frustrating, represents a healthy security response cycle similar to what occurred after the <a href=\"https:\/\/cybersecuritynews.com\/lazarus-log4shell-exploits\/\" target=\"_blank\" rel=\"noreferrer noopener\">Log4Shell <\/a>vulnerability.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-affected-versions-and-patches\"><strong>Affected Versions and Patches<\/strong><\/h2>\n<figure class=\"wp-block-table is-style-stripes\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th>Package Versions Affected<\/th>\n<th>Patched Version<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>19.0.0 \u2013 19.0.3<\/td>\n<td>19.0.4<\/td>\n<\/tr>\n<tr>\n<td>19.1.0 \u2013 19.1.4<\/td>\n<td>19.1.5<\/td>\n<\/tr>\n<tr>\n<td>19.2.0 \u2013 19.2.3<\/td>\n<td>19.2.4<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>Applications that do not use React Server Components or <a href=\"https:\/\/cybersecuritynews.com\/server-side-phishing-attacks-employees-member-portals\/\" target=\"_blank\" rel=\"noreferrer noopener\">server-side<\/a> React code remain unaffected by these vulnerabilities.<\/p>\n<p>Similarly, applications without a framework, a bundler, or a bundler plugin that supports React Server Components face no risk.<\/p>\n<figure class=\"wp-block-table is-style-stripes\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th>Environment<\/th>\n<th>Update These Packages<\/th>\n<th>Do NOT Update<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>React Native (Monorepo)<\/td>\n<td>react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack<\/td>\n<td>react, react-dom<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>According to the advisory <a href=\"https:\/\/github.com\/facebook\/react\/security\/advisories\/GHSA-83fc-fqcc-2hmg\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">published<\/a>, React Native users operating in monorepo environments should update :<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/react-server-components-vulnerability\/\">Multiple Vulnerabilities in React Server Components Enable DoS Attacks<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Abinaya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/react-server-components-vulnerability\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Multiple Vulnerabilities in React Server Components Enable DoS Attacks Multiple critical security vulnerabilities have recently been disclosed in React Server Components, enabling threat actors to launch Denial-of-Service (DoS) attacks against vulnerable servers. The flaws, tracked as CVE-2026-23864 with a CVSS score of 7.5, are due to incomplete patches from previous security fixes and require immediate [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,1438,648],"tags":[130],"class_list":["post-10166","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-dos-attack","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10166"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=10166"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10166\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=10166"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=10166"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=10166"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}