REACT’S developers have warned that a high-severity DoS flaw in Server Components, tracked as CVE-2026-23864, remains even after prior patches, potentially causing server crashes, out-of-memory errors, or excessive CPU use via specially crafted HTTP requests to Server Function endpoints. With a CVSS score of 7.5, the issue affects server-dom packages used by bundlers, specifically versions 19.0.0 through 19.2.3 of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.
The article notes that the initial fixes were incomplete and that multiple DoS vulnerabilities still exist, according to the advisory. If an app does not use a server, it is not affected, but React developers are urged to update immediately to patched versions: 19.0.4 for the 19.0.x branch, 19.1.5 for the 19.1.x branch, and 19.2.4 for the 19.2.x branch, with backported fixes to broaden coverage, according to GitHub.