Fix CVE-2026-23864

[loganaden]

https://nvd.nist.gov/vuln/detail/CVE-2026-23864

Summary by CodeRabbit

Release Notes

• Chores
  • Updated react-server-dom-webpack dependency to a newer patch version, incorporating improvements and enhancements to the underlying infrastructure.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated the react-server-dom-webpack dependency from version 19.0.0 to 19.0.4 in package.json. This is a minor patch version bump with no changes to application logic or public APIs.

Changes

Cohort / File(s)	Summary
Dependency Version Update package.json	Bumped react-server-dom-webpack from 19.0.0 to 19.0.4

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A version bump, so small and neat,
Nineteen point zero, can't be beat!
From dot-oh to dot-four we climb,
Patching bugs with perfect rhyme,
Dependencies dance, the code feels light! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title references a specific CVE (CVE-2026-23864) that is addressed by updating react-server-dom-webpack from 19.0.0 to 19.0.4, which aligns with the main change in the pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@package.json`:
- Around line 20-23: Update the three Server Component dependencies so they all
use patch level 19.0.4: change the version strings for "react", "react-dom", and
"react-server-dom-webpack" from 19.0.0/19.0.4 to "19.0.4", then run npm install
to regenerate package-lock.json so the lockfile reflects the patched versions
and resolves CVE-2026-23864.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find all lockfiles in the repository
find . -type f \( -name "package-lock.json" -o -name "pnpm-lock.yaml" -o -name "yarn.lock" -o -name "npm-shrinkwrap.json" \) 2>/dev/null | head -20

Repository: RndUsername/Home-DMS

Length of output: 83

---

🌐 Web query:

CVE-2026-23864 react-server-dom-webpack fix

💡 Result:

To fix CVE-2026-23864 in react-server-dom-webpack, upgrade to a patched React release that includes the updated Server Components packages:

• React (and react-server-dom-webpack) fixed in: 19.0.4, 19.1.5, 19.2.4 (upgrade to the latest in your major/minor line, or newer). [1][2]

If you’re using Next.js, upgrade to a patched Next.js version (it pulls in the fixed React Server Components bits):

• Next.js fixed in: 15.0.8, 15.1.12, 15.2.9, 15.3.9, 15.4.11, 15.5.10, 15.6.0-canary.61, 16.0.11, 16.1.5, 16.2.0-canary.9 (or newer). [2]

Practical commands (typical):

# React / RSC packages (pick the latest patched version applicable to your project)
npm i react@^19.2.4 react-dom@^19.2.4 react-server-dom-webpack@^19.2.4

These issues are DoS vulnerabilities triggered by specially crafted requests to Server Function endpoints, potentially causing crashes / OOM / high CPU. [1][3]

Sources: NVD entry and vendor write-ups. [1][2][3]

---

🌐 Web query:

React 19.0.4 release availability

💡 Result:

React 19.0.4 is available: it was published as an official release/tag in the facebook/react repo on January 26, 2026. [1][2]

To use it, install the matching packages:

npm i react@19.0.4 react-dom@19.0.4

Sources: [1] [2]

---

🏁 Script executed:

#!/bin/bash
# Check the current state of react-server-dom-webpack in package-lock.json
rg -A 5 '"react-server-dom-webpack"' package-lock.json | head -20

Repository: RndUsername/Home-DMS

Length of output: 453

---

🏁 Script executed:

#!/bin/bash
# Also check react and react-dom versions in lockfile
rg '"version": "19\.' package-lock.json | grep -E '"react"' | head -10

Repository: RndUsername/Home-DMS

Length of output: 46

---

🏁 Script executed:

#!/bin/bash
# Check react and react-dom entries in package-lock.json
rg '"name": "react"' -A 2 package-lock.json | head -20

Repository: RndUsername/Home-DMS

Length of output: 46

---

🏁 Script executed:

#!/bin/bash
# Check what's actually in package-lock.json for dependencies section
sed -n '1,50p' package-lock.json | cat -n

Repository: RndUsername/Home-DMS

Length of output: 2022

---

Update package-lock.json and align all Server Component packages to patch level 19.0.4 (Line 22).

The CVE-2026-23864 fix requires react-server-dom-webpack@19.0.4, but package-lock.json still references 19.0.0. Additionally, react and react-dom must be updated to 19.0.4 to fully resolve the Server Functions DoS vulnerability. Align all three packages to 19.0.4:

"react": "19.0.4",
"react-dom": "19.0.4",
"react-server-dom-webpack": "19.0.4",

Then run npm install to regenerate package-lock.json.

🤖 Prompt for AI Agents

In `@package.json` around lines 20 - 23, Update the three Server Component
dependencies so they all use patch level 19.0.4: change the version strings for
"react", "react-dom", and "react-server-dom-webpack" from 19.0.0/19.0.4 to
"19.0.4", then run npm install to regenerate package-lock.json so the lockfile
reflects the patched versions and resolves CVE-2026-23864.