Skip to content

Sync React to c0d218f0 (Mar 24) — CVE-2026-23864#91894

Closed
hammadxcm wants to merge 1 commit intovercel:canaryfrom
hammadxcm:sync-react-c0d218f0
Closed

Sync React to c0d218f0 (Mar 24) — CVE-2026-23864#91894
hammadxcm wants to merge 1 commit intovercel:canaryfrom
hammadxcm:sync-react-c0d218f0

Conversation

@hammadxcm
Copy link
Copy Markdown

@hammadxcm hammadxcm commented Mar 25, 2026

Summary

Syncs vendored React packages from 8b2e903a (Mar 20) to c0d218f0 (Mar 24), updating all canary and experimental channel packages.

Closes #91890

CVE-2026-23864 / GHSA-83fc-fqcc-2hmg — Verification

The reported vulnerability (DoS in React Server Components via specially crafted HTTP requests to Server Function endpoints) was fixed in facebook/react#35632 ("[Flight] Add more DoS mitigations to Flight Reply, and harden Flight"), merged 2026-01-26.

The canary commit c0d218f0 (Mar 24) is 128 commits ahead of the fix commit 10680271, confirming the fix is fully included. In fact, both the old (8b2e903a, Mar 20) and new canaries already contain the fix — it was merged nearly two months prior. This sync updates to the very latest canary for completeness.

Protections present in the vendored React RSC server code:

Protection Detail
Bound arguments limit Server Functions limited to 1,000 bound arguments
Array size / nesting limit Default 1,000,000 total slots across nested arrays (_arraySizeLimit)
BigInt size limit Rejects BigInt values exceeding 300 digits
__proto__ pollution guards Skips/deletes __proto__ keys during deserialization at multiple points
then key poisoning prevention createModel() returns null for "then" function models
Plain object enforcement Rejects non-plain objects (classes, null prototypes) in Server→Client serialization

Additional Next.js-level protections:

  • HTTP body size limit: default 1 MB, configurable via serverActions.bodySizeLimit
  • CSRF / origin validation with configurable allowedOrigins
  • Action ID validation (42-char length check + serverModuleMap lookup)
  • Header value length limiting for logs (100 chars)

Upstream React changes

diff facebook/react@8b2e903a...c0d218f0

Packages updated

  • react / react-dom / scheduler (canary + experimental)
  • react-server-dom-webpack / react-server-dom-turbopack (canary + experimental)
  • react-is

62 files changed across package.json, pnpm-lock.yaml, and packages/next/src/compiled/.

Test plan

  • CI passes (build, lint, types, tests)
  • No regressions in RSC e2e tests
  • Verify vendored server-dom packages contain DoS mitigations (bound args limit, array size limit, BigInt limit, proto guards)

@hammadxcm
Sync React from 8b2e903a (Mar 20) to c0d218f0 (Mar 24)
72531d4 
Updates vendored React packages to the latest canary. Includes upstream
React PRs vercel#36134 (useDeferredValue fix) and vercel#36094 (DevTools Activity).

Addresses vercel#91890 — the vendored react-server-dom-webpack and
react-server-dom-turbopack packages are updated to the latest canary
which includes fixes for CVE-2026-23864.

[diff facebook/react@8b2e903a...c0d218f0](facebook/react@8b2e903...c0d218f)
@nextjs-bot
Copy link
Copy Markdown
Collaborator

nextjs-bot commented Mar 25, 2026

Allow CI Workflow Run

  • approve CI run for commit: 72531d4

Note: this should only be enabled once the PR is ready to go and can only be enabled by a maintainer

@hammadxcm hammadxcm mentioned this pull request Mar 25, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

type: next

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Dependencies] Update version of dependencies to fix vulnerabilities

3 participants

@hammadxcm @nextjs-bot @unstubbable