Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/react-server-dom-turbopack@19.2.0-canary-e9638c33-20250721
Typenpm
Namespace
Namereact-server-dom-turbopack
Version19.2.0-canary-e9638c33-20250721
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version19.2.5
Latest_non_vulnerable_version19.3.0-canary-06fcc8f3-20251009
Affected_by_vulnerabilities
0
url VCID-1vbs-dw4u-x3br
vulnerability_id VCID-1vbs-dw4u-x3br
summary 
React Server Components have multiple Denial of Service Vulnerabilities
It was found that the fixes to address DoS in React Server Components were incomplete and we found multiple denial of service vulnerabilities still exist in React Server Components.

We recommend updating immediately.

The vulnerability exists in versions 19.0.0, 19.0.1, 19.0.2, 19.0.3, 19.1.0, 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.2.0, 19.2.1, 19.2.2, 19.2.3 of:

- [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)
- [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)
- [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)

The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23864.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23864.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23864
reference_id
reference_type
scores
0
value 0.0198
scoring_system epss
scoring_elements 0.83905
published_at 2026-06-08T12:55:00Z
1
value 0.0198
scoring_system epss
scoring_elements 0.83917
published_at 2026-06-05T12:55:00Z
2
value 0.0198
scoring_system epss
scoring_elements 0.8392
published_at 2026-06-06T12:55:00Z
3
value 0.0198
scoring_system epss
scoring_elements 0.83915
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23864
2
reference_url https://github.com/facebook/react
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/facebook/react
3
reference_url https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2433059
reference_id 2433059
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2433059
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23864
reference_id CVE-2026-23864
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23864
6
reference_url https://www.facebook.com/security/advisories/cve-2026-23864
reference_id CVE-2026-23864
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-26T20:26:03Z/
url https://www.facebook.com/security/advisories/cve-2026-23864
7
reference_url https://github.com/advisories/GHSA-83fc-fqcc-2hmg
reference_id GHSA-83fc-fqcc-2hmg
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-83fc-fqcc-2hmg
8
reference_url https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg
reference_id GHSA-83fc-fqcc-2hmg
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg
9
reference_url https://access.redhat.com/errata/RHSA-2026:13571
reference_id RHSA-2026:13571
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:13571
fixed_packages
0
url pkg:npm/react-server-dom-turbopack@19.2.4
purl pkg:npm/react-server-dom-turbopack@19.2.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-rqq3-xbes-x7ga
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.2.4
aliases CVE-2026-23864, GHSA-83fc-fqcc-2hmg
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1vbs-dw4u-x3br
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.2.0-canary-e9638c33-20250721