プラットフォーム
nodejs
コンポーネント
react-server-dom-parcel
修正版
19.0.4
19.1.5
19.2.4
19.0.4
19.1.5
19.2.4
19.0.4
19.1.5
19.2.4
19.0.4
CVE-2026-23864 describes a Denial of Service (DoS) vulnerability impacting React Server Components within Next.js applications. Attackers can exploit this flaw by sending specially crafted HTTP requests to App Router Server Function endpoints, potentially leading to resource exhaustion and service disruption. This vulnerability affects Next.js versions 13.x, 14.x, 15.x, and 16.x, and is fixed in Next.js 15.0.8.
The primary impact of CVE-2026-23864 is a denial of service. A malicious actor can craft HTTP requests designed to trigger excessive CPU usage or out-of-memory conditions when these requests are deserialized by vulnerable Server Function endpoints. This can effectively crash the server, rendering the application unavailable to legitimate users. The blast radius extends to any application utilizing the affected React Server Components, potentially impacting critical business functions and user experience. While not directly exploitable for data exfiltration, the disruption caused by the DoS can be leveraged for other malicious purposes, such as distraction during other attacks.
CVE-2026-23864 was published on January 28, 2026. The vulnerability is tracked upstream as GHSA-83fc-fqcc-2hmg in the React repository. Public proof-of-concept (POC) code is likely to emerge given the relatively straightforward nature of the DoS attack. The EPSS score is pending evaluation, but the ease of exploitation suggests a potential for medium to high probability of exploitation in exposed environments.
エクスプロイト状況
EPSS
1.40% (80% パーセンタイル)
CVSS ベクトル
The recommended mitigation for CVE-2026-23864 is to upgrade to Next.js version 15.0.8 or later, which includes the necessary fix. If immediate upgrading is not feasible, consider implementing rate limiting on App Router Server Function endpoints to restrict the number of requests from a single source. Web Application Firewalls (WAFs) can be configured to detect and block suspicious HTTP requests that exhibit patterns indicative of exploitation. Thoroughly review and validate all incoming data to Server Function endpoints to prevent malicious deserialization.
Actualice el paquete react-server-dom-webpack a la última versión disponible. Se recomienda actualizar a la versión 19.0.4 o superior para las versiones 19.0.x, a la versión 19.1.5 o superior para las versiones 19.1.x, y a la versión 19.2.4 o superior para las versiones 19.2.x. Esto mitigará las vulnerabilidades de denegación de servicio.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-23864 is a denial-of-service vulnerability affecting React Server Components in Next.js versions 13.x-16.x. A crafted HTTP request can cause excessive CPU usage or server crashes, leading to service disruption.
If you are using Next.js versions 13.x, 14.x, 15.x, or 16.x and utilize React Server Components, you are potentially affected by this vulnerability. Check your Next.js version using nx version.
Upgrade to Next.js version 15.0.8 or later to resolve this vulnerability. If upgrading is not immediately possible, implement rate limiting and review your Server Function code for potential vulnerabilities.
While no active exploitation campaigns have been publicly reported, the vulnerability's ease of exploitation suggests a potential for exploitation. Monitor your systems and logs for suspicious activity.
You can find the official advisory on the React security advisories page: https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。