DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-23864: React Server Components: The Flight to Nowhere (CVE-2026-23864)

#security #cve #cybersecurity

React Server Components: The Flight to Nowhere (CVE-2026-23864)

Vulnerability ID: CVE-2026-23864
CVSS Score: 7.5
Published: 2026-01-29

Multiple Denial of Service (DoS) and Prototype Pollution vulnerabilities exist in the React Server Components (RSC) 'Flight' protocol implementation. These flaws allow attackers to trigger Out-of-Memory (OOM) crashes, excessive CPU consumption, or potentially pollute the object prototype chain via specially crafted RSC stream payloads.

TL;DR

React's 'Flight' protocol failed to validate deserialization limits. Attackers can send malicious streams to Next.js/React servers that allocate massive arrays, process infinite BigInts, or traverse __proto__. This kills the server instantly. Patched in v19.0.4+.

⚠️ Exploit Status: POC

Technical Details

  • CWE IDs: CWE-502 (Deserialization), CWE-400 (Resource Exhaustion)
  • Attack Vector: Network (HTTP POST)
  • CVSS v3.1: 7.5 (High)
  • EPSS Score: 0.00603 (68.98%)
  • Exploit Status: PoC (Private)
  • Protocol: React 'Flight' RPC

Affected Systems

  • Next.js Applications (App Router)
  • Remix Framework (Future RSC support)
  • React Server Components (Custom Implementations)
  • react-server-dom-webpack
  • react-server-dom-turbopack
  • react-server-dom-parcel
  • react-server-dom-webpack: 19.0.0 < 19.0.4 (Fixed in: 19.0.4)
  • react-server-dom-webpack: 19.1.0 < 19.1.5 (Fixed in: 19.1.5)
  • react-server-dom-webpack: 19.2.0 < 19.2.4 (Fixed in: 19.2.4)

Code Analysis

Commit: 63d61c7

Fix DoS and prototype pollution in server components

const __PROTO__ = '__proto__';
if (key === __PROTO__) { return undefined; }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Update React Server DOM packages
  • Implement WAF rules for RSC payloads
  • Monitor for OOM crashes

Remediation Steps:

  1. Identify the package manager (npm, yarn, pnpm) used in the project.
  2. Run npm outdated or equivalent to check current versions of react and react-server-dom-*.
  3. Update to React version 19.0.4, 19.1.5, or 19.2.4 or later using npm update.
  4. Verify the update by checking node_modules/react-server-dom-webpack/package.json.
  5. Restart the application server to load the new code.

References

Read the full report for CVE-2026-23864 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)