React Server Components haben eine Denial of Service Vulnerability

This vulnerability allows an attacker to disrupt the availability of applications utilizing React Server Components. The crafted HTTP requests trigger a resource exhaustion scenario, consuming significant CPU resources for up to a minute before resulting in a thrown error. While the error is catchable, the preceding CPU spike can severely degrade performance and potentially crash the server. The impact is particularly severe in production environments with high traffic volumes, as a successful attack could render the application unresponsive to legitimate users. This vulnerability shares similarities with other resource exhaustion attacks targeting server-side components, highlighting the importance of input validation and rate limiting.

Applications utilizing React Server Components and relying on the vulnerable react-server-dom-parcel, react-server-dom-turbopack, or react-server-dom-webpack packages are at risk. This includes projects using modern React development workflows and those deploying Server Functions to handle backend logic. Specifically, teams with limited resources or those running applications on shared hosting environments are particularly vulnerable due to the potential for resource exhaustion.

• nodejs / server: Monitor CPU utilization on servers running react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. Look for sustained high CPU usage without corresponding user activity.

  top -n 1 | grep -E 'react-server-dom-parcel|react-server-dom-turbopack|react-server-dom-webpack'

• nodejs / server: Examine application logs for errors related to excessive CPU usage or exceptions thrown within Server Function endpoints.

grep -i 'cpu usage|server function error' /var/log/app/application.log

• generic web: Monitor HTTP request patterns to Server Function endpoints for unusual activity, such as a sudden surge in requests from a single IP address.

  curl -v <server_function_endpoint> # Examine request/response headers for anomalies

1. 2026-04-10Disclosure

   disclosure

1. Reserviert2026-01-16
2. Veröffentlicht2026-04-10
3. EPSS aktualisiert2026-04-16

The primary mitigation is to immediately upgrade react-server-dom-parcel to version 19.0.5 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing temporary workarounds such as rate limiting on Server Function endpoints to restrict the number of requests from a single source. Additionally, implement robust input validation to filter out potentially malicious requests. Monitoring CPU usage on the server is crucial to detect potential attacks. While a direct detection signature is difficult to create, increased CPU load on Server Function endpoints should be investigated. After upgrade, confirm the fix by sending a test payload and verifying that CPU usage remains within acceptable limits.