Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/react-server-dom-turbopack@19.2.3
Typenpm
Namespace
Namereact-server-dom-turbopack
Version19.2.3
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version19.2.5
Latest_non_vulnerable_version19.3.0-canary-06fcc8f3-20251009
Affected_by_vulnerabilities
0
url VCID-bwdv-fw3h-dfce
vulnerability_id VCID-bwdv-fw3h-dfce
summary 
React Server Components have multiple Denial of Service Vulnerabilities
## Impact

It was found that the fixes to address DoS in React Server Components were incomplete and we found multiple denial of service vulnerabilities still exist in React Server Components.

We recommend updating immediately.

The vulnerability exists in versions 19.0.0, 19.0.1, 19.0.2, 19.0.3, 19.1.0, 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.2.0, 19.2.1, 19.2.2, 19.2.3 of:

- [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)  
- [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)  
- [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)

The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.

## Patches

Fixes were back ported to versions 19.0.4, 19.1.5, and 19.2.4.

If you are using any of the above packages please upgrade to any of the fixed versions immediately.

If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.

## References

See the [blog post](https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components) for more information and upgrade instructions.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23864.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23864.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23864
reference_id
reference_type
scores
0
value 0.01108
scoring_system epss
scoring_elements 0.78264
published_at 2026-05-12T12:55:00Z
1
value 0.01108
scoring_system epss
scoring_elements 0.78245
published_at 2026-05-11T12:55:00Z
2
value 0.01108
scoring_system epss
scoring_elements 0.78253
published_at 2026-05-09T12:55:00Z
3
value 0.01395
scoring_system epss
scoring_elements 0.80341
published_at 2026-04-02T12:55:00Z
4
value 0.01456
scoring_system epss
scoring_elements 0.80881
published_at 2026-04-24T12:55:00Z
5
value 0.01456
scoring_system epss
scoring_elements 0.80858
published_at 2026-04-21T12:55:00Z
6
value 0.01456
scoring_system epss
scoring_elements 0.80856
published_at 2026-04-18T12:55:00Z
7
value 0.01456
scoring_system epss
scoring_elements 0.80854
published_at 2026-04-16T12:55:00Z
8
value 0.01456
scoring_system epss
scoring_elements 0.80817
published_at 2026-04-13T12:55:00Z
9
value 0.01456
scoring_system epss
scoring_elements 0.8079
published_at 2026-04-04T12:55:00Z
10
value 0.01456
scoring_system epss
scoring_elements 0.80787
published_at 2026-04-07T12:55:00Z
11
value 0.01456
scoring_system epss
scoring_elements 0.80814
published_at 2026-04-08T12:55:00Z
12
value 0.01456
scoring_system epss
scoring_elements 0.80823
published_at 2026-04-09T12:55:00Z
13
value 0.01456
scoring_system epss
scoring_elements 0.80825
published_at 2026-04-12T12:55:00Z
14
value 0.01456
scoring_system epss
scoring_elements 0.8084
published_at 2026-04-11T12:55:00Z
15
value 0.01456
scoring_system epss
scoring_elements 0.80935
published_at 2026-05-07T12:55:00Z
16
value 0.01456
scoring_system epss
scoring_elements 0.80914
published_at 2026-05-05T12:55:00Z
17
value 0.01456
scoring_system epss
scoring_elements 0.80898
published_at 2026-04-29T12:55:00Z
18
value 0.01456
scoring_system epss
scoring_elements 0.80887
published_at 2026-04-26T12:55:00Z
19
value 0.01924
scoring_system epss
scoring_elements 0.83553
published_at 2026-05-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23864
2
reference_url https://github.com/facebook/react
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/facebook/react
3
reference_url https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23864
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23864
5
reference_url https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
6
reference_url https://www.facebook.com/security/advisories/cve-2026-23864
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-26T20:26:03Z/
url https://www.facebook.com/security/advisories/cve-2026-23864
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2433059
reference_id 2433059
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2433059
8
reference_url https://github.com/advisories/GHSA-83fc-fqcc-2hmg
reference_id GHSA-83fc-fqcc-2hmg
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-83fc-fqcc-2hmg
9
reference_url https://access.redhat.com/errata/RHSA-2026:13571
reference_id RHSA-2026:13571
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:13571
fixed_packages
0
url pkg:npm/react-server-dom-turbopack@19.2.4
purl pkg:npm/react-server-dom-turbopack@19.2.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-fa57-smff-sbg2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.2.4
aliases CVE-2026-23864, GHSA-83fc-fqcc-2hmg
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bwdv-fw3h-dfce
1
url VCID-fa57-smff-sbg2
vulnerability_id VCID-fa57-smff-sbg2
summary A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23869.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23869.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23869
reference_id
reference_type
scores
0
value 0.00322
scoring_system epss
scoring_elements 0.55238
published_at 2026-04-12T12:55:00Z
1
value 0.00322
scoring_system epss
scoring_elements 0.55247
published_at 2026-04-09T12:55:00Z
2
value 0.00322
scoring_system epss
scoring_elements 0.55259
published_at 2026-04-11T12:55:00Z
3
value 0.00322
scoring_system epss
scoring_elements 0.5522
published_at 2026-04-13T12:55:00Z
4
value 0.00688
scoring_system epss
scoring_elements 0.7176
published_at 2026-04-21T12:55:00Z
5
value 0.00688
scoring_system epss
scoring_elements 0.71777
published_at 2026-04-18T12:55:00Z
6
value 0.00688
scoring_system epss
scoring_elements 0.71772
published_at 2026-04-16T12:55:00Z
7
value 0.00728
scoring_system epss
scoring_elements 0.72732
published_at 2026-05-07T12:55:00Z
8
value 0.00728
scoring_system epss
scoring_elements 0.72702
published_at 2026-05-05T12:55:00Z
9
value 0.00728
scoring_system epss
scoring_elements 0.72713
published_at 2026-04-26T12:55:00Z
10
value 0.00728
scoring_system epss
scoring_elements 0.72709
published_at 2026-04-29T12:55:00Z
11
value 0.00728
scoring_system epss
scoring_elements 0.72704
published_at 2026-04-24T12:55:00Z
12
value 0.00728
scoring_system epss
scoring_elements 0.72757
published_at 2026-05-09T12:55:00Z
13
value 0.00841
scoring_system epss
scoring_elements 0.74896
published_at 2026-05-14T12:55:00Z
14
value 0.00841
scoring_system epss
scoring_elements 0.74822
published_at 2026-05-11T12:55:00Z
15
value 0.00841
scoring_system epss
scoring_elements 0.74842
published_at 2026-05-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23869
2
reference_url https://github.com/facebook/react
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/facebook/react
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23869
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23869
4
reference_url https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2456663
reference_id 2456663
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2456663
6
reference_url https://github.com/advisories/GHSA-479c-33wc-g2pg
reference_id GHSA-479c-33wc-g2pg
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-479c-33wc-g2pg
7
reference_url https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg
reference_id GHSA-479c-33wc-g2pg
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-08T19:55:33Z/
url https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg
fixed_packages
0
url pkg:npm/react-server-dom-turbopack@19.2.5
purl pkg:npm/react-server-dom-turbopack@19.2.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.2.5
aliases CVE-2026-23869, GHSA-479c-33wc-g2pg
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fa57-smff-sbg2
Fixing_vulnerabilities
0
url VCID-pbfy-s6g4-w7ex
vulnerability_id VCID-pbfy-s6g4-w7ex
summary 
Denial of Service Vulnerability in React Server Components
It was found that the fix to address [CVE-2025-55184](https://github.com/facebook/react/security/advisories/GHSA-2m3v-v2m8-q956) in React Server Components was incomplete and does not prevent a denial of service attack in a specific case.

We recommend updating immediately.

The vulnerability exists in versions 19.0.2, 19.1.3, and 19.2.2 of:

- [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)
- [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)
- [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)

These issues are present in the patches published on December 11th, 2025.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-67779.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-67779.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-67779
reference_id
reference_type
scores
0
value 0.0013
scoring_system epss
scoring_elements 0.32628
published_at 2026-04-02T12:55:00Z
1
value 0.00167
scoring_system epss
scoring_elements 0.37786
published_at 2026-04-07T12:55:00Z
2
value 0.00167
scoring_system epss
scoring_elements 0.37864
published_at 2026-04-11T12:55:00Z
3
value 0.00167
scoring_system epss
scoring_elements 0.37849
published_at 2026-04-09T12:55:00Z
4
value 0.00167
scoring_system epss
scoring_elements 0.37836
published_at 2026-04-08T12:55:00Z
5
value 0.00167
scoring_system epss
scoring_elements 0.37907
published_at 2026-04-04T12:55:00Z
6
value 0.00306
scoring_system epss
scoring_elements 0.53759
published_at 2026-05-07T12:55:00Z
7
value 0.00306
scoring_system epss
scoring_elements 0.53813
published_at 2026-05-09T12:55:00Z
8
value 0.00306
scoring_system epss
scoring_elements 0.53714
published_at 2026-05-05T12:55:00Z
9
value 0.00378
scoring_system epss
scoring_elements 0.59354
published_at 2026-04-13T12:55:00Z
10
value 0.00378
scoring_system epss
scoring_elements 0.59372
published_at 2026-04-12T12:55:00Z
11
value 0.00378
scoring_system epss
scoring_elements 0.59355
published_at 2026-04-29T12:55:00Z
12
value 0.00378
scoring_system epss
scoring_elements 0.59371
published_at 2026-04-26T12:55:00Z
13
value 0.00378
scoring_system epss
scoring_elements 0.59374
published_at 2026-04-21T12:55:00Z
14
value 0.00378
scoring_system epss
scoring_elements 0.59351
published_at 2026-04-24T12:55:00Z
15
value 0.00378
scoring_system epss
scoring_elements 0.59393
published_at 2026-04-18T12:55:00Z
16
value 0.00378
scoring_system epss
scoring_elements 0.59387
published_at 2026-04-16T12:55:00Z
17
value 0.00448
scoring_system epss
scoring_elements 0.63712
published_at 2026-05-14T12:55:00Z
18
value 0.00448
scoring_system epss
scoring_elements 0.63634
published_at 2026-05-11T12:55:00Z
19
value 0.00448
scoring_system epss
scoring_elements 0.6366
published_at 2026-05-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-67779
2
reference_url https://github.com/facebook/react
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/facebook/react
3
reference_url https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-12T18:39:24Z/
url https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2421678
reference_id 2421678
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2421678
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-67779
reference_id CVE-2025-67779
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-67779
6
reference_url https://github.com/facebook/react/security/advisories/GHSA-2m3v-v2m8-q956
reference_id GHSA-2m3v-v2m8-q956
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/facebook/react/security/advisories/GHSA-2m3v-v2m8-q956
7
reference_url https://github.com/advisories/GHSA-7gmr-mq3h-m5h9
reference_id GHSA-7gmr-mq3h-m5h9
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7gmr-mq3h-m5h9
8
reference_url https://github.com/facebook/react/security/advisories/GHSA-7gmr-mq3h-m5h9
reference_id GHSA-7gmr-mq3h-m5h9
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/facebook/react/security/advisories/GHSA-7gmr-mq3h-m5h9
fixed_packages
0
url pkg:npm/react-server-dom-turbopack@19.0.3
purl pkg:npm/react-server-dom-turbopack@19.0.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bwdv-fw3h-dfce
1
vulnerability VCID-fa57-smff-sbg2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.0.3
1
url pkg:npm/react-server-dom-turbopack@19.1.4
purl pkg:npm/react-server-dom-turbopack@19.1.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bwdv-fw3h-dfce
1
vulnerability VCID-fa57-smff-sbg2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.1.4
2
url pkg:npm/react-server-dom-turbopack@19.2.3
purl pkg:npm/react-server-dom-turbopack@19.2.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bwdv-fw3h-dfce
1
vulnerability VCID-fa57-smff-sbg2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.2.3
aliases CVE-2025-67779, GHSA-7gmr-mq3h-m5h9
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pbfy-s6g4-w7ex
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.2.3