Update DoS blog post with additional CVE (#8263)

2026-02-25 23:05:23 +00:00 · 2026-01-26 14:10:27 -05:00
parent a1ddcf51a0
commit ed876185c3
2 changed files with 59 additions and 30 deletions
--- a/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md
+++ b/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md
@@ -62,13 +62,15 @@ An unauthenticated attacker could craft a malicious HTTP request to any Server F

 These instructions have been updated to include the new vulnerabilities:

- **Denial of Service - High Severity**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) (CVSS 7.5)
+- **Denial of Service - High Severity**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) and [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779) (CVSS 7.5)
 - **Source Code Exposure - Medium Severity**: [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) (CVSS 5.3)
-
-They also include the additional case found, patched, and disclosed as [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779).
+- **Denial of Service - High Severity**: January 26, 2026 [CVE-2026-23864](https://www.cve.org/CVERecord?id=CVE-2026-23864) (CVSS 7.5)

 See the [follow-up blog post](/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components) for more info.

+-----
+
+_Updated January 26, 2026._
 </Note>

 ### Next.js {/*update-next-js*/}
@@ -77,18 +79,21 @@ All users should upgrade to the latest patched version in their release line:

 ```bash
 npm install next@14.2.35  // for 13.3.x, 13.4.x, 13.5.x, 14.x
-npm install next@15.0.7   // for 15.0.x
-npm install next@15.1.11  // for 15.1.x
-npm install next@15.2.8   // for 15.2.x
-npm install next@15.3.8   // for 15.3.x
-npm install next@15.4.10  // for 15.4.x
-npm install next@15.5.9   // for 15.5.x
-npm install next@16.0.10  // for 16.0.x
+npm install next@15.0.8   // for 15.0.x
+npm install next@15.1.12  // for 15.1.x
+npm install next@15.2.9   // for 15.2.x
+npm install next@15.3.9   // for 15.3.x
+npm install next@15.4.11  // for 15.4.x
+npm install next@15.5.10  // for 15.5.x
+npm install next@16.0.11  // for 16.0.x
+npm install next@16.1.5   // for 16.1.x

 npm install next@15.6.0-canary.60   // for 15.x canary releases
 npm install next@16.1.0-canary.19   // for 16.x canary releases
 ```

+15.0.8, 15.1.12, 15.2.9, 15.3.9, 15.4.10, 15.5.10, 15.6.0-canary.61, 16.0.11, 16.1.5
+
 If you are on version `13.3` or later version of Next.js 13 (`13.3.x`, `13.4.x`, or `13.5.x`) please upgrade to version `14.2.35`.

 If you are on `next@14.3.0-canary.77` or a later canary release, downgrade to the latest stable 14.x release:
--- a/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md
+++ b/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md
@@ -9,6 +9,8 @@ description: Security researchers have found and disclosed two additional vulner

 December 11, 2025 by [The React Team](/community/team)

+_Updated January 26, 2026._
+
 ---

 <Intro>
@@ -23,7 +25,7 @@ Security researchers have found and disclosed two additional vulnerabilities in

 The new vulnerabilities are disclosed as:

- **Denial of Service - High Severity**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) and [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779) (CVSS 7.5)
+- **Denial of Service - High Severity**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184), [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779), and [CVE-2026-23864](https://www.cve.org/CVERecord?id=CVE-2026-23864) (CVSS 7.5)
 - **Source Code Exposure - Medium Severity**: [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) (CVSS 5.3)

 We recommend upgrading immediately due to the severity of the newly disclosed vulnerabilities.
@@ -32,12 +34,16 @@ We recommend upgrading immediately due to the severity of the newly disclosed vu

 #### The patches published earlier are vulnerable. {/*the-patches-published-earlier-are-vulnerable*/}

-If you already updated for the Critical Security Vulnerability last week, you will need to update again.
+If you already updated for the previous vulnerabilities, you will need to update again.

-If you updated to 19.0.2, 19.1.3, and 19.2.2, [these are incomplete](#additional-fix-published) and you will need to update again.
+If you updated to 19.0.3, 19.1.4, and 19.2.3, [these are incomplete](#additional-fix-published), and you will need to update again.

 Please see [the instructions in the previous post](/blog/2025/12/03/critical-security-vulnerability-in-react-server-components#update-instructions) for upgrade steps.

+-----
+
+_Updated January 26, 2026._
+
 </Note>

 Further details of these vulnerabilities will be provided after the rollout of the fixes are complete.
@@ -46,13 +52,13 @@ Further details of these vulnerabilities will be provided after the rollout of t

 These vulnerabilities are present in the same packages and versions as [CVE-2025-55182](/blog/2025/12/03/critical-security-vulnerability-in-react-server-components).

-This includes versions 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.1.2, 19.2.0, 19.2.1 and 19.2.2 of:
+This includes 19.0.0, 19.0.1, 19.0.2, 19.0.3, 19.1.0, 19.1.1, 19.1.2, 19.1.3, 19.2.0, 19.2.1, 19.2.2, and 19.2.3 of:

 * [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)
 * [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)
 * [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)

-Fixes were backported to versions 19.0.3, 19.1.4, and 19.2.3. If you are using any of the above packages please upgrade to any of the fixed versions immediately.
+Fixes were backported to versions 19.0.4, 19.1.5, and 19.2.4. If you are using any of the above packages please upgrade to any of the fixed versions immediately.

 As before, if your app’s React code does not use a server, your app is not affected by these vulnerabilities. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by these vulnerabilities.

@@ -72,7 +78,7 @@ Additional disclosures can be frustrating, but they are generally a sign of a he

 Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: [next](https://www.npmjs.com/package/next), [react-router](https://www.npmjs.com/package/react-router), [waku](https://www.npmjs.com/package/waku), [@parcel/rsc](https://www.npmjs.com/package/@parcel/rsc), [@vite/rsc-plugin](https://www.npmjs.com/package/@vitejs/plugin-rsc), and [rwsdk](https://www.npmjs.com/package/rwsdk).

-Please see [the instructions in the previous post](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components#update-instructions) for upgrade steps.
+Please see [the instructions in the previous post](/blog/2025/12/03/critical-security-vulnerability-in-react-server-components#update-instructions) for upgrade steps.

 ### Hosting Provider Mitigations {/*hosting-provider-mitigations*/}

@@ -94,6 +100,36 @@ This is required to mitigate the security advisories, but you do not need to upd

 See [this issue](https://github.com/facebook/react-native/issues/54772#issuecomment-3617929832) for more information.

+---
+
+## High Severity: Multiple Denial of Service {/*high-severity-multiple-denial-of-service*/}
+
+**CVEs:** [CVE-2026-23864](https://www.cve.org/CVERecord?id=CVE-2026-23864)
+**Base Score:** 7.5 (High)
+**Date**: January 26, 2025
+
+Security researchers discovered additional DoS vulnerabilities still exist in React Server Components.
+
+The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.
+
+The patches published January 26th mitigate these DoS vulnerabilities.
+
+<Note>
+
+#### Additional fixes published {/*additional-fix-published*/}
+
+The original fix addressing the DoS in [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) was incomplete.
+
+This left previous versions vulnerable. Versions 19.0.4, 19.1.5, 19.2.4 are safe.
+
+-----
+
+_Updated January 26, 2026._
+
+</Note>
+
+---
+
 ## High Severity: Denial of Service {/*high-severity-denial-of-service*/}

 **CVEs:** [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) and [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779)
@@ -105,18 +141,6 @@ This creates a vulnerability vector where an attacker may be able to deny users

 The patches published today mitigate by preventing the infinite loop.

-<Note>
-
-#### Additional fix published {/*additional-fix-published*/}
-
-The original fix addressing the DoS in [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) was incomplete.
-
-This left versions 19.0.2, 19.1.3, 19.2.2 vulnerable. Versions 19.0.3, 19.1.4, 19.2.3 are safe.
-
-We've fixed the additional cases and filed [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779) for the vulnerable versions.
-
-</Note>
-
 ## Medium Severity: Source Code Exposure {/*low-severity-source-code-exposure*/}

 **CVE:** [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183)
@@ -170,9 +194,9 @@ Always verify against production bundles.
 * **December 11th**: Additional DoS reported to [Meta Bug Bounty](https://bugbounty.meta.com/) by Shinsaku Nomura.
 * **December 11th**: Patches published and publicly disclosed as [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) and [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184).
 * **December 11th**: Missing DoS case found internally, patched and publicly disclosed as [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779).
-
+* **January 26th**: Additional DoS cases found, patched, and publicly disclosed as [CVE-2026-23864](https://www.cve.org/CVERecord?id=CVE-2026-23864).
 ---

 ## Attribution {/*attribution*/}

-Thank you to [Andrew MacPherson (AndrewMohawk)](https://github.com/AndrewMohawk) for reporting the Source Code Exposure, [RyotaK](https://ryotak.net) from GMO Flatt Security Inc and Shinsaku Nomura of Bitforest Co., Ltd. for reporting the Denial of Service vulnerabilities.
+Thank you to [Andrew MacPherson (AndrewMohawk)](https://github.com/AndrewMohawk) for reporting the Source Code Exposure, [RyotaK](https://ryotak.net) from GMO Flatt Security Inc and Shinsaku Nomura of Bitforest Co., Ltd. for reporting the Denial of Service vulnerabilities. Thank you to [Mufeed VH](https://x.com/mufeedvh) from [Winfunc Research](https://winfunc.com), [Joachim Viide](https://jviide.iki.fi), [RyotaK](https://ryotak.net) from [GMO Flatt Security Inc](https://flatt.tech/en/) and Xiangwei Zhang of Tencent Security YUNDING LAB for reporting the additional DoS vulnerabilities.