React Server Components flaw disclosed

React Server Components are the part of React that let a server build pieces of a page before the browser sees them, like a restaurant kitchen plating dishes before the waiter walks out. In React 19, those server-side pieces are shipped through packages named `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`. (github.com) Another React feature called a Server Function is the button behind the button: when a user clicks “save” or “publish,” the browser can send an Hypertext Transfer Protocol request straight to server code. The new flaw sits in those Server Function endpoints, not in the visible button itself. (github.com) The bug is a denial-of-service bug, which means an attacker does not steal data first; they just keep the server too busy to answer normal users. GitHub’s advisory says a specially crafted request can trigger the issue without authentication, so the attacker does not need to log in before trying it. (github.com) The practical effect is ugly but simple: the server can burn Central Processing Unit time, run out of memory, or crash. Vercel’s summary says the exact failure depends on the code path, but the end result can be an app that stops serving future requests. (vercel.com) The affected versions are broad enough that a lot of teams will have to check carefully. GitHub lists vulnerable releases across the 19.0, 19.1, and 19.2 lines, including 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4 for all three React Server Components packages. (github.com) The fix is equally concrete: update to 19.0.5, 19.1.6, or 19.2.5. GitHub published the advisory on April 8, 2026, and the National Vulnerability Database tracks the issue as CVE-2026-23864. (github.com) (nist.gov) This is not the first time React Server Components have had this kind of problem. React’s own December 11, 2025 security post said researchers found additional bugs while testing fixes for an earlier critical React Server Components vulnerability, which shows this part of the stack has been under active pressure for months. (react.dev) That history matters because many teams think “our product is a mobile app” and forget the web surfaces around it. Admin consoles, internal dashboards, content tools, and documentation portals often run on the same React and Next.js plumbing, and Netlify notes that React Server Components are used by Next.js and other React metaframeworks. (netlify.com) If your team uses those server-side React features, the check is narrow and fast: look for Server Function endpoints and those three `react-server-dom-*` packages in your dependency tree. If they are on a vulnerable 19.x release, the vendor guidance is to upgrade immediately rather than try to filter the attack at the edge. (github.com) (vercel.com)