WAF Release - 2026-01-26

WAF

This week’s release introduces new detections for denial-of-service attempts targeting React CVE-2026-23864 (https://www.cve.org/CVERecord?id=CVE-2026-23864).

Key Findings

  • CVE-2026-23864 (https://www.cve.org/CVERecord?id=CVE-2026-23864) affects react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack packages.
  • Attackers can send crafted HTTP requests to Server Function endpoints, causing server crashes, out-of-memory exceptions, or excessive CPU usage.
RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
Cloudflare Managed Ruleset N/AReact Server - DOS - CVE:CVE-2026-23864 - 1N/ABlockThis is a new detection.
Cloudflare Managed Ruleset N/AReact Server - DOS - CVE:CVE-2026-23864 - 2N/ABlockThis is a new detection.
Cloudflare Managed Ruleset N/AReact Server - DOS - CVE:CVE-2026-23864 - 3N/ABlockThis is a new detection.