Platform
nodejs
Component
react-server-dom-parcel
Fixed in
19.2.5
19.2.5
19.2.5
19.2.5
19.2.5
19.2.5
19.2.5
19.2.5
19.2.5
19.0.5
A denial-of-service (DoS) vulnerability has been identified in React Server Components, specifically impacting the react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack packages. Attackers can exploit this flaw by sending specially crafted HTTP requests to Server Function endpoints, resulting in excessive CPU usage and potential application instability. The vulnerability affects versions 19.0.0 through 19.2.0, and a fix is available in version 19.0.5.
This DoS vulnerability allows an attacker to disrupt the availability of applications utilizing React Server Components. By sending malicious HTTP requests, an attacker can trigger a significant spike in CPU usage, potentially overwhelming the server and rendering it unresponsive to legitimate users. The prolonged CPU load, lasting up to a minute, culminates in a thrown error, although this error is catchable. Successful exploitation could lead to service outages, impacting user experience and potentially causing data loss if critical operations are interrupted. The blast radius extends to any application relying on the vulnerable React Server Components packages.
This vulnerability was publicly disclosed on 2026-04-10. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of crafting HTTP requests suggests a potential for rapid exploitation. The vulnerability is not currently listed on the CISA KEV catalog. The impact is considered significant due to the potential for widespread disruption of React Server Components-based applications.
Exploit Status
EPSS
0.42% (62% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-23869 is to immediately upgrade the affected packages to version 19.0.5 or later. If an immediate upgrade is not feasible due to compatibility concerns or breaking changes, consider implementing rate limiting on Server Function endpoints to restrict the number of requests from a single source. Web Application Firewalls (WAFs) can be configured to detect and block suspicious HTTP requests targeting these endpoints. While a direct detection signature is not readily available, monitoring CPU utilization on servers running these components is crucial. After upgrading, confirm the fix by sending a test request to a Server Function endpoint and verifying that CPU usage remains within acceptable limits.
Update the react-server-dom-turbopack package to version 19.2.5 or higher to mitigate the denial of service vulnerability. This update addresses the issue by preventing excessive CPU usage caused by specially designed HTTP requests. Ensure you thoroughly test your application after the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-23869 is a denial-of-service vulnerability affecting react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. It allows attackers to cause excessive CPU usage through crafted HTTP requests.
You are affected if you are using versions 19.0.0 through 19.2.0 of react-server-dom-parcel, react-server-dom-turbopack, or react-server-dom-webpack in your React Server Components application.
Upgrade to version 19.0.5 or later of react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. Consider rate limiting and WAF rules as temporary mitigations.
While no active exploitation has been confirmed, the ease of crafting malicious requests suggests a potential for rapid exploitation.
Refer to the official React security advisory for details and updates: [https://react.dev/security](https://react.dev/security)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.