PR #91894: Sync React to c0d218f0 (Mar 24) — CVE-2026-23864

• Repository: vercel/next.js
• Author: hammadxcm
• State: closed | merged: False
• Link: https://github.com/vercel/next.js/pull/91894

Description (problem / solution / changelog)

Summary

Syncs vendored React packages from 8b2e903a (Mar 20) to c0d218f0 (Mar 24), updating all canary and experimental channel packages.

Closes #91890

CVE-2026-23864 / GHSA-83fc-fqcc-2hmg — Verification

The reported vulnerability (DoS in React Server Components via specially crafted HTTP requests to Server Function endpoints) was fixed in facebook/react#35632 ("[Flight] Add more DoS mitigations to Flight Reply, and harden Flight"), merged 2026-01-26.

The canary commit c0d218f0 (Mar 24) is 128 commits ahead of the fix commit 10680271, confirming the fix is fully included. In fact, both the old (8b2e903a, Mar 20) and new canaries already contain the fix — it was merged nearly two months prior. This sync updates to the very latest canary for completeness.

Protections present in the vendored React RSC server code:

Additional Next.js-level protections:

• HTTP body size limit: default 1 MB, configurable via serverActions.bodySizeLimit
• CSRF / origin validation with configurable allowedOrigins
• Action ID validation (42-char length check + serverModuleMap lookup)
• Header value length limiting for logs (100 chars)

Upstream React changes

diff facebook/[email protected]

• https://github.com/facebook/react/pull/36134 — Fix useDeferredValue getting stuck
• https://github.com/facebook/react/pull/36094 — DevTools: display subtree for Activity

Packages updated

• react / react-dom / scheduler (canary + experimental)
• react-server-dom-webpack / react-server-dom-turbopack (canary + experimental)
• react-is

62 files changed across package.json, pnpm-lock.yaml, and packages/next/src/compiled/.

Test plan

• CI passes (build, lint, types, tests)
• No regressions in RSC e2e tests
• Verify vendored server-dom packages contain DoS mitigations (bound args limit, array size limit, BigInt limit, proto guards)

Changed files

• package.json (modified, +15/-15)
• packages/next/src/compiled/react-dom-experimental/cjs/react-dom-client.development.js (modified, +8/-7)
• packages/next/src/compiled/react-dom-experimental/cjs/react-dom-client.production.js (modified, +8/-6)
• packages/next/src/compiled/react-dom-experimental/cjs/react-dom-profiling.development.js (modified, +8/-7)
• packages/next/src/compiled/react-dom-experimental/cjs/react-dom-profiling.profiling.js (modified, +8/-6)
• packages/next/src/compiled/react-dom-experimental/cjs/react-dom-server-legacy.browser.development.js (modified, +1/-1)
• packages/next/src/compiled/react-dom-experimental/cjs/react-dom-server-legacy.browser.production.js (modified, +1/-1)
• packages/next/src/compiled/react-dom-experimental/cjs/react-dom-server-legacy.node.development.js (modified, +1/-1)
• packages/next/src/compiled/react-dom-experimental/cjs/react-dom-server-legacy.node.production.js (modified, +1/-1)
• packages/next/src/compiled/react-dom-experimental/cjs/react-dom-server.browser.development.js (modified, +3/-3)
• packages/next/src/compiled/react-dom-experimental/cjs/react-dom-server.browser.production.js (modified, +3/-3)
• packages/next/src/compiled/react-dom-experimental/cjs/react-dom-server.bun.production.js (modified, +3/-3)
• packages/next/src/compiled/react-dom-experimental/cjs/react-dom-server.edge.development.js (modified, +3/-3)
• packages/next/src/compiled/react-dom-experimental/cjs/react-dom-server.edge.production.js (modified, +3/-3)
• packages/next/src/compiled/react-dom-experimental/cjs/react-dom-server.node.development.js (modified, +3/-3)
• packages/next/src/compiled/react-dom-experimental/cjs/react-dom-server.node.production.js (modified, +3/-3)
• packages/next/src/compiled/react-dom-experimental/cjs/react-dom-unstable_testing.development.js (modified, +8/-7)
• packages/next/src/compiled/react-dom-experimental/cjs/react-dom-unstable_testing.production.js (modified, +8/-6)
• packages/next/src/compiled/react-dom-experimental/cjs/react-dom.development.js (modified, +1/-1)
• packages/next/src/compiled/react-dom-experimental/cjs/react-dom.production.js (modified, +1/-1)
• packages/next/src/compiled/react-dom-experimental/cjs/react-dom.react-server.development.js (modified, +1/-1)
• packages/next/src/compiled/react-dom-experimental/cjs/react-dom.react-server.production.js (modified, +1/-1)
• packages/next/src/compiled/react-dom-experimental/package.json (modified, +2/-2)
• packages/next/src/compiled/react-dom/cjs/react-dom-client.development.js (modified, +8/-7)
• packages/next/src/compiled/react-dom/cjs/react-dom-client.production.js (modified, +8/-6)
• packages/next/src/compiled/react-dom/cjs/react-dom-profiling.development.js (modified, +8/-7)
• packages/next/src/compiled/react-dom/cjs/react-dom-profiling.profiling.js (modified, +8/-6)
• packages/next/src/compiled/react-dom/cjs/react-dom-server-legacy.browser.development.js (modified, +1/-1)
• packages/next/src/compiled/react-dom/cjs/react-dom-server-legacy.browser.production.js (modified, +1/-1)
• packages/next/src/compiled/react-dom/cjs/react-dom-server-legacy.node.development.js (modified, +1/-1)
• packages/next/src/compiled/react-dom/cjs/react-dom-server-legacy.node.production.js (modified, +1/-1)
• packages/next/src/compiled/react-dom/cjs/react-dom-server.browser.development.js (modified, +3/-3)
• packages/next/src/compiled/react-dom/cjs/react-dom-server.browser.production.js (modified, +3/-3)
• packages/next/src/compiled/react-dom/cjs/react-dom-server.bun.production.js (modified, +3/-3)
• packages/next/src/compiled/react-dom/cjs/react-dom-server.edge.development.js (modified, +3/-3)
• packages/next/src/compiled/react-dom/cjs/react-dom-server.edge.production.js (modified, +3/-3)
• packages/next/src/compiled/react-dom/cjs/react-dom-server.node.development.js (modified, +3/-3)
• packages/next/src/compiled/react-dom/cjs/react-dom-server.node.production.js (modified, +3/-3)
• packages/next/src/compiled/react-dom/cjs/react-dom.development.js (modified, +1/-1)
• packages/next/src/compiled/react-dom/cjs/react-dom.production.js (modified, +1/-1)
• packages/next/src/compiled/react-dom/cjs/react-dom.react-server.development.js (modified, +1/-1)
• packages/next/src/compiled/react-dom/cjs/react-dom.react-server.production.js (modified, +1/-1)
• packages/next/src/compiled/react-dom/package.json (modified, +2/-2)
• packages/next/src/compiled/react-experimental/cjs/react.development.js (modified, +1/-1)
• packages/next/src/compiled/react-experimental/cjs/react.production.js (modified, +1/-1)
• packages/next/src/compiled/react-experimental/cjs/react.react-server.development.js (modified, +1/-1)
• packages/next/src/compiled/react-experimental/cjs/react.react-server.production.js (modified, +1/-1)
• packages/next/src/compiled/react-is/package.json (modified, +1/-1)
• packages/next/src/compiled/react-server-dom-turbopack-experimental/cjs/react-server-dom-turbopack-client.browser.development.js (modified, +2/-2)
• packages/next/src/compiled/react-server-dom-turbopack-experimental/package.json (modified, +2/-2)
• packages/next/src/compiled/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.browser.development.js (modified, +2/-2)
• packages/next/src/compiled/react-server-dom-turbopack/package.json (modified, +2/-2)
• packages/next/src/compiled/react-server-dom-webpack-experimental/cjs/react-server-dom-webpack-client.browser.development.js (modified, +2/-2)
• packages/next/src/compiled/react-server-dom-webpack-experimental/package.json (modified, +2/-2)
• packages/next/src/compiled/react-server-dom-webpack/cjs/react-server-dom-webpack-client.browser.development.js (modified, +2/-2)
• packages/next/src/compiled/react-server-dom-webpack/package.json (modified, +2/-2)
• packages/next/src/compiled/react/cjs/react.development.js (modified, +1/-1)
• packages/next/src/compiled/react/cjs/react.production.js (modified, +1/-1)
• packages/next/src/compiled/react/cjs/react.react-server.development.js (modified, +1/-1)
• packages/next/src/compiled/react/cjs/react.react-server.production.js (modified, +1/-1)
• packages/next/src/compiled/unistore/unistore.js (modified, +1/-1)
• pnpm-lock.yaml (modified, +919/-919)