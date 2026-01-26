Changelog
WAF Release - 2026-01-26
This week’s release introduces new detections for denial-of-service attempts targeting React CVE-2026-23864 (https://www.cve.org/CVERecord?id=CVE-2026-23864 ↗).
Key Findings
- CVE-2026-23864 (https://www.cve.org/CVERecord?id=CVE-2026-23864 ↗) affects
react-server-dom-parcel,
react-server-dom-turbopack, and
react-server-dom-webpackpackages.
- Attackers can send crafted HTTP requests to Server Function endpoints, causing server crashes, out-of-memory exceptions, or excessive CPU usage.
|Ruleset
|Rule ID
|Legacy Rule ID
|Description
|Previous Action
|New Action
|Comments
|Cloudflare Managed Ruleset
|N/A
|React Server - DOS - CVE:CVE-2026-23864 - 1
|N/A
|Block
|This is a new detection.
|Cloudflare Managed Ruleset
|N/A
|React Server - DOS - CVE:CVE-2026-23864 - 2
|N/A
|Block
|This is a new detection.
|Cloudflare Managed Ruleset
|N/A
|React Server - DOS - CVE:CVE-2026-23864 - 3
|N/A
|Block
|This is a new detection.