React Server Components Multiple DoS (CVE-2026-23864)

Hosting Environment Impact

This advisory affects every environment that exposes React Server Components Server Function endpoints to external traffic.

• Next.js App Router (15.x / 16.x): Affected. Bundled into the Next.js patched releases — upgrading Next.js itself resolves this.
• Vercel / Netlify / Cloudflare Pages: Affected. Hosting adapters share the same RSC runtime regardless of deployment target.
• Self-hosted Node.js: Affected. If you run a custom RSC integration, upgrade react-server-dom-* directly.
• Parcel / Turbopack direct use: Affected. Apply the matching patch version on the same major line.

Vulnerability Mechanism

React Server Components processes Server Function calls by accepting HTTP requests, deserializing the RSC payload, and executing it. The earlier DoS fix was incomplete, so multiple variants of payload structure could still trigger:

• Server process crash
• Node.js heap exhaustion → Out of Memory exception
• Excessive CPU during (de)serialization → cascading latency on the same instance

The CVSS 7.5 (High) rating reflects (1) no authentication required, (2) a single request can degrade availability, and (3) every Next.js App Router project that uses RSC is broadly affected.

Note: After this advisory was patched, additional DoS variants were discovered and disclosed on May 6, 2026 as CVE-2026-23870. Environments that only applied the January fix remain exposed to the May variant.

Patch & Mitigation

1. Upgrade to the patched RSC packages (this advisory only)

# React 19.0.x line
npm install [email protected] \
            [email protected] \
            [email protected]

# React 19.1.x line
npm install [email protected] \
            [email protected] \
            [email protected]

# React 19.2.x line
npm install [email protected] \
            [email protected] \
            [email protected]

2. Cover both this and the May follow-up DoS in one pass (recommended)

To also resolve the May 2026 follow-up CVE-2026-23870, jump to the newer patch:

# React 19.0.x line
npm install [email protected] \
            [email protected] \
            [email protected]

# React 19.1.x line
npm install [email protected] \
            [email protected] \
            [email protected]

# React 19.2.x line (most recommended)
npm install [email protected] \
            [email protected] \
            [email protected]

3. Next.js users

Next.js App Router users do not interact with the RSC packages directly — patching Next.js itself is sufficient. The May 2026 coordinated release (nextjs-2026-05-security-release) already bundles both the January and the May fixes.

npm install [email protected]   # 15.x line
npm install [email protected]    # 16.x line
npm install next@latest    # latest stable

4. Temporary mitigations (before patching)

The same mitigations as CVE-2026-23870 apply:

• Request body size limits: Cap incoming RSC endpoint bodies at the reverse proxy / WAF (Nginx, Cloudflare, AWS ALB).
• Rate limiting: Throttle or block bursts of RSC requests from the same IP.
• Tighter request timeouts: Reduce Node.js request timeouts so a single attack request cannot starve the whole instance.

Summary

CVE-2026-23864 is a multi-variant DoS advisory in the React Server Components Server Function pipeline, disclosed because the earlier fix was incomplete. Any project that uses RSC or Next.js App Router should upgrade to a patched release that covers both this advisory and the May 2026 follow-up CVE-2026-23870 in a single upgrade.