Wednesday, January 28th 2026 · 2 min read

CVE-2026-23864 - React Server Components DoS Vulnerabilities

Multiple denial of service vulnerabilities discovered in React Server Components. All Achromatic starter kits updated to patched versions.

A new high-severity vulnerability has been disclosed affecting React Server Components. CVE-2026-23864 addresses multiple denial of service attack vectors that can crash servers, cause out-of-memory exceptions, or trigger excessive CPU usage.

We've updated all Achromatic starter kits to the latest patched versions.

Vulnerability overview

CVE-2026-23864 covers multiple denial of service vulnerabilities triggered by specially crafted HTTP requests to Server Function endpoints. Depending on the affected code path and application configuration, attacks could lead to:

Server crashes
Out-of-memory exceptions
Excessive CPU usage

CVSS Score: 7.5 (High Severity)

These vulnerabilities do not allow Remote Code Execution. However, denial of service attacks can still cause significant downtime and impact your users.

Affected versions

The vulnerabilities impact these React packages across versions 19.0.x, 19.1.x, and 19.2.x:

react-server-dom-parcel
react-server-dom-webpack
react-server-dom-turbopack

Next.js versions affected: 13.x, 14.x, 15.x, and 16.x

Other frameworks using React Server Components are also affected, including Vite, Parcel, React Router, RedwoodSDK, and Waku.

Fixed versions

Update to one of these patched versions:

React:

19.0.4
19.1.5
19.2.4

Next.js:

15.0.8, 15.1.12, 15.2.9, 15.3.9, 15.4.11, 15.5.10
15.6.0-canary.61
16.0.11, 16.1.5
16.2.0-canary.9

What we've done

All Achromatic starter kits have been updated to the latest patched versions.

What you should do

New projects

Clone any of our starter kits. They're already running the patched versions.

Existing projects

Update your dependencies immediately:

Terminal

pnpm install next@latest react@latest react-dom@latest

Or use the official codemod:

Terminal

npx @next/codemod@canary upgrade latest

Verify your React packages are at version 19.0.4, 19.1.5, or 19.2.4 or higher.

Vercel-hosted projects

Vercel has deployed Web Application Firewall rules to automatically protect hosted projects. However, you should still upgrade to patched versions as soon as possible.

Credits

The vulnerability was responsibly disclosed by researchers from:

Winfunc Research
GMO Flatt Security
Tencent Security YUNDING LAB

Resources

Vercel Changelog: Summary of CVE-2026-23864

React DoS & Source Code Exposure - Previous React Server Components vulnerabilities
React2Shell Security Patch - Next.js 16.0.7 - The original critical RCE vulnerability

Looking for a secure foundation for your SaaS? Our starter kits are always kept up-to-date with the latest security patches.

Stay secure!

December 12th, 2025

React DoS & Source Code Exposure - Starter Kits Updated

Two new React Server Components vulnerabilities discovered. All Achromatic starter kits updated to patched versions.

April 18th, 2025

SaaS Security Best Practices for Next.js Applications

Essential security practices for building secure SaaS applications in Next.js. Covers authentication, authorization, data protection, API security, and common vulnerabilities.

April 20th, 2025

Building a SaaS Dashboard with React Server Components

Learn how to build fast, data-rich SaaS dashboards using React Server Components in Next.js. Covers streaming, suspense boundaries, parallel data fetching, and real-world patterns.