Cyber Resilience

CVE-2026-23864

Published: 26 January 2026

Published
26 January 2026
Modified
13 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0198 84.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23864 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Facebook React. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

Multiple denial of service vulnerabilities exist in React Server Components, affecting the packages react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The issues are tracked under CWE-400 and CWE-502 with a CVSS 3.1 score of 7.5 and are triggered by specially crafted HTTP requests to Server Function endpoints, which can produce server crashes, out-of-memory conditions, or excessive CPU usage depending on the exercised code path, application configuration, and surrounding code.

An unauthenticated remote attacker can send malicious requests to the exposed endpoints and thereby disrupt availability of any application relying on the vulnerable React Server Components packages.

The referenced Facebook security advisory states that organizations should strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues.

The associated EPSS score remains flat at 0.0198 with no material increase after disclosure.

EU & UK References

Vulnerability details

Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or…

more

excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code. Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability in exposed React Server Function endpoints allows remote unauthenticated exploitation (T1190) via crafted HTTP requests that trigger resource exhaustion or crashes (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-55182Same product: Facebook React
CVE-2026-21619Shared CWE-400, CWE-502
CVE-2026-23869Shared CWE-400, CWE-502
CVE-2026-39304Shared CWE-400
CVE-2025-22777Shared CWE-502
CVE-2026-21637Shared CWE-400
CVE-2025-40944Shared CWE-400
CVE-2025-70886Shared CWE-400
CVE-2026-46834Shared CWE-400
CVE-2026-33204Shared CWE-400

Affected Assets

facebook
react
19.0.0 — 19.0.4 · 19.1.0 — 19.1.5 · 19.2.0 — 19.2.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely flaw remediation through upgrading vulnerable React Server Components packages, directly preventing exploitation of the DoS vulnerabilities.

prevent

Implements denial-of-service protections at system boundaries to block specially crafted HTTP requests targeting Server Function endpoints.

prevent

Validates information inputs to Server Function endpoints, preventing processing of malformed requests that cause server crashes, OOM, or excessive CPU usage.

References