This week’s release introduces new detections for denial-of-service attempts targeting React CVE-2026-23864 (https://www.cve.org/CVERecord?id=CVE-2026-23864). Key Findings
CVE-2026-23864 (https://www.cve.org/CVERecord?id=CVE-2026-23864) affects react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack packages. Attackers can send crafted HTTP requests to Server Function endpoints, causing server crashes, out-of-memory exceptions, or excessive CPU usage.
RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionCommentsCloudflare Managed Rulesetaaede80b4d414dc89c443cea61680354 N/AReact Server - DOS - CVE:CVE-2026-23864 - 1N/ABlockThis is a new detection.Cloudflare Managed Ruleset3e93c9faaafa447c83a525f2dcdffcf8 N/AReact Server - DOS - CVE:CVE-2026-23864 - 2N/ABlockThis is a new detection.Cloudflare Managed Ruleset930020d567684f19b05fb35b349edbc6 N/AReact Server - DOS - CVE:CVE-2026-23864 - 3N/ABlockThis is a new detection.
Fetched April 4, 2026