Update DoS blog post with additional CVE (#8263)

Author: rickhanlonii

src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md

@@ -62,13 +62,15 @@ An unauthenticated attacker could craft a malicious HTTP request to any Server F
 
 These instructions have been updated to include the new vulnerabilities:
 
-- **Denial of Service - High Severity**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) (CVSS 7.5)
+- **Denial of Service - High Severity**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) and [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779) (CVSS 7.5)
 - **Source Code Exposure - Medium Severity**: [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) (CVSS 5.3)
-
-They also include the additional case found, patched, and disclosed as [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779).
+- **Denial of Service - High Severity**: January 26, 2026 [CVE-2026-23864](https://www.cve.org/CVERecord?id=CVE-2026-23864) (CVSS 7.5)
 
 See the [follow-up blog post](/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components) for more info.
 
+-----
+
+_Updated January 26, 2026._
 </Note>
 
 ### Next.js {/*update-next-js*/}
@@ -77,18 +79,21 @@ All users should upgrade to the latest patched version in their release line:
 
 ```bash
 npm install next@14.2.35  // for 13.3.x, 13.4.x, 13.5.x, 14.x
-npm install next@15.0.7   // for 15.0.x
-npm install next@15.1.11  // for 15.1.x
-npm install next@15.2.8   // for 15.2.x
-npm install next@15.3.8   // for 15.3.x
-npm install next@15.4.10  // for 15.4.x
-npm install next@15.5.9   // for 15.5.x
-npm install next@16.0.10  // for 16.0.x
+npm install next@15.0.8   // for 15.0.x
+npm install next@15.1.12  // for 15.1.x
+npm install next@15.2.9   // for 15.2.x
+npm install next@15.3.9   // for 15.3.x
+npm install next@15.4.11  // for 15.4.x
+npm install next@15.5.10  // for 15.5.x
+npm install next@16.0.11  // for 16.0.x
+npm install next@16.1.5   // for 16.1.x
 
 npm install next@15.6.0-canary.60   // for 15.x canary releases
 npm install next@16.1.0-canary.19   // for 16.x canary releases
 ```
 
+15.0.8, 15.1.12, 15.2.9, 15.3.9, 15.4.10, 15.5.10, 15.6.0-canary.61, 16.0.11, 16.1.5
+
 If you are on version `13.3` or later version of Next.js 13 (`13.3.x`, `13.4.x`, or `13.5.x`) please upgrade to version `14.2.35`.
 
 If you are on `next@14.3.0-canary.77` or a later canary release, downgrade to the latest stable 14.x release:

src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md

@@ -9,6 +9,8 @@ description: Security researchers have found and disclosed two additional vulner
 
 December 11, 2025 by [The React Team](/community/team)
 
+_Updated January 26, 2026._
+
 ---
 
 <Intro>
@@ -23,7 +25,7 @@ Security researchers have found and disclosed two additional vulnerabilities in
 
 The new vulnerabilities are disclosed as:
 
-- **Denial of Service - High Severity**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) and [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779) (CVSS 7.5)
+- **Denial of Service - High Severity**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184), [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779), and [CVE-2026-23864](https://www.cve.org/CVERecord?id=CVE-2026-23864) (CVSS 7.5)
 - **Source Code Exposure - Medium Severity**: [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) (CVSS 5.3)
 
 We recommend upgrading immediately due to the severity of the newly disclosed vulnerabilities.
@@ -32,12 +34,16 @@ We recommend upgrading immediately due to the severity of the newly disclosed vu
 
 #### The patches published earlier are vulnerable. {/*the-patches-published-earlier-are-vulnerable*/}
 
-If you already updated for the Critical Security Vulnerability last week, you will need to update again.
+If you already updated for the previous vulnerabilities, you will need to update again.
 
-If you updated to 19.0.2, 19.1.3, and 19.2.2, [these are incomplete](#additional-fix-published) and you will need to update again.
+If you updated to 19.0.3, 19.1.4, and 19.2.3, [these are incomplete](#additional-fix-published), and you will need to update again.
 
 Please see [the instructions in the previous post](/blog/2025/12/03/critical-security-vulnerability-in-react-server-components#update-instructions) for upgrade steps.
 
+-----
+
+_Updated January 26, 2026._
+
 </Note>
 
 Further details of these vulnerabilities will be provided after the rollout of the fixes are complete.
@@ -46,13 +52,13 @@ Further details of these vulnerabilities will be provided after the rollout of t
 
 These vulnerabilities are present in the same packages and versions as [CVE-2025-55182](/blog/2025/12/03/critical-security-vulnerability-in-react-server-components).
 
-This includes versions 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.1.2, 19.2.0, 19.2.1 and 19.2.2 of:
+This includes 19.0.0, 19.0.1, 19.0.2, 19.0.3, 19.1.0, 19.1.1, 19.1.2, 19.1.3, 19.2.0, 19.2.1, 19.2.2, and 19.2.3 of:
 
 * [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)
 * [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)
 * [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)
 
-Fixes were backported to versions 19.0.3, 19.1.4, and 19.2.3. If you are using any of the above packages please upgrade to any of the fixed versions immediately.
+Fixes were backported to versions 19.0.4, 19.1.5, and 19.2.4. If you are using any of the above packages please upgrade to any of the fixed versions immediately.
 
 As before, if your app’s React code does not use a server, your app is not affected by these vulnerabilities. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by these vulnerabilities.
 
@@ -72,7 +78,7 @@ Additional disclosures can be frustrating, but they are generally a sign of a he
 
 Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: [next](https://www.npmjs.com/package/next), [react-router](https://www.npmjs.com/package/react-router), [waku](https://www.npmjs.com/package/waku), [@parcel/rsc](https://www.npmjs.com/package/@parcel/rsc), [@vite/rsc-plugin](https://www.npmjs.com/package/@vitejs/plugin-rsc), and [rwsdk](https://www.npmjs.com/package/rwsdk).
 
-Please see [the instructions in the previous post](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components#update-instructions) for upgrade steps.
+Please see [the instructions in the previous post](/blog/2025/12/03/critical-security-vulnerability-in-react-server-components#update-instructions) for upgrade steps.
 
 ### Hosting Provider Mitigations {/*hosting-provider-mitigations*/}
 
@@ -94,29 +100,47 @@ This is required to mitigate the security advisories, but you do not need to upd
 
 See [this issue](https://github.com/facebook/react-native/issues/54772#issuecomment-3617929832) for more information.
 
-## High Severity: Denial of Service {/*high-severity-denial-of-service*/}
+---
 
-**CVEs:** [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) and [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779)
+## High Severity: Multiple Denial of Service {/*high-severity-multiple-denial-of-service*/}
+
+**CVEs:** [CVE-2026-23864](https://www.cve.org/CVERecord?id=CVE-2026-23864)
 **Base Score:** 7.5 (High)
+**Date**: January 26, 2025
 
-Security researchers have discovered that a malicious HTTP request can be crafted and sent to any Server Functions endpoint that, when deserialized by React, can cause an infinite loop that hangs the server process and consumes CPU. Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.
+Security researchers discovered additional DoS vulnerabilities still exist in React Server Components.
 
-This creates a vulnerability vector where an attacker may be able to deny users from accessing the product, and potentially have a  performance impact on the server environment.
+The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.
 
-The patches published today mitigate by preventing the infinite loop.
+The patches published January 26th mitigate these DoS vulnerabilities.
 
 <Note>
 
-#### Additional fix published {/*additional-fix-published*/}
+#### Additional fixes published {/*additional-fix-published*/}
 
 The original fix addressing the DoS in [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) was incomplete.
 
-This left versions 19.0.2, 19.1.3, 19.2.2 vulnerable. Versions 19.0.3, 19.1.4, 19.2.3 are safe.
+This left previous versions vulnerable. Versions 19.0.4, 19.1.5, 19.2.4 are safe.
+
+-----
 
-We've fixed the additional cases and filed [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779) for the vulnerable versions.
+_Updated January 26, 2026._
 
 </Note>
 
+---
+
+## High Severity: Denial of Service {/*high-severity-denial-of-service*/}
+
+**CVEs:** [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) and [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779)
+**Base Score:** 7.5 (High)
+
+Security researchers have discovered that a malicious HTTP request can be crafted and sent to any Server Functions endpoint that, when deserialized by React, can cause an infinite loop that hangs the server process and consumes CPU. Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.
+
+This creates a vulnerability vector where an attacker may be able to deny users from accessing the product, and potentially have a  performance impact on the server environment.
+
+The patches published today mitigate by preventing the infinite loop.
+
 ## Medium Severity: Source Code Exposure {/*low-severity-source-code-exposure*/}
 
 **CVE:** [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183)
@@ -170,9 +194,9 @@ Always verify against production bundles.
 * **December 11th**: Additional DoS reported to [Meta Bug Bounty](https://bugbounty.meta.com/) by Shinsaku Nomura.
 * **December 11th**: Patches published and publicly disclosed as [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) and [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184).
 * **December 11th**: Missing DoS case found internally, patched and publicly disclosed as [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779).
-
+* **January 26th**: Additional DoS cases found, patched, and publicly disclosed as [CVE-2026-23864](https://www.cve.org/CVERecord?id=CVE-2026-23864).
 ---
 
 ## Attribution {/*attribution*/}
 
-Thank you to [Andrew MacPherson (AndrewMohawk)](https://github.com/AndrewMohawk) for reporting the Source Code Exposure, [RyotaK](https://ryotak.net) from GMO Flatt Security Inc and Shinsaku Nomura of Bitforest Co., Ltd. for reporting the Denial of Service vulnerabilities.
+Thank you to [Andrew MacPherson (AndrewMohawk)](https://github.com/AndrewMohawk) for reporting the Source Code Exposure, [RyotaK](https://ryotak.net) from GMO Flatt Security Inc and Shinsaku Nomura of Bitforest Co., Ltd. for reporting the Denial of Service vulnerabilities. Thank you to [Mufeed VH](https://x.com/mufeedvh) from [Winfunc Research](https://winfunc.com), [Joachim Viide](https://jviide.iki.fi), [RyotaK](https://ryotak.net) from [GMO Flatt Security Inc](https://flatt.tech/en/) and Xiangwei Zhang of Tencent Security YUNDING LAB for reporting the additional DoS vulnerabilities.