CVE-2026-23869
published 2026-04-08CVE-2026-23869: A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and…
PriorityP347high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.55%
72.0th percentile
A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| meta | react-server-dom-parcel | >= 19.0.0 < 19.0.5 | 19.0.5 |
| meta | react-server-dom-parcel | 19.0.0 – 19.0.4 | — |
| meta | react-server-dom-parcel | >= 19.1.0 < 19.1.6 | 19.1.6 |
| meta | react-server-dom-parcel | 19.1.0 – 19.1.5 | — |
| meta | react-server-dom-parcel | >= 19.2.0 < 19.2.5 | 19.2.5 |
| meta | react-server-dom-parcel | 19.2.0 – 19.2.4 | — |
| meta | react-server-dom-turbopack | >= 19.0.0 < 19.0.5 | 19.0.5 |
| meta | react-server-dom-turbopack | 19.0.0 – 19.0.4 | — |
| meta | react-server-dom-turbopack | >= 19.1.0 < 19.1.6 | 19.1.6 |
| meta | react-server-dom-turbopack | 19.1.0 – 19.1.5 | — |
| meta | react-server-dom-turbopack | >= 19.2.0 < 19.2.5 | 19.2.5 |
| meta | react-server-dom-turbopack | 19.2.0 – 19.2.4 | — |
| meta | react-server-dom-webpack | >= 19.0.0 < 19.0.5 | 19.0.5 |
| meta | react-server-dom-webpack | 19.0.0 – 19.0.4 | — |
| meta | react-server-dom-webpack | >= 19.1.0 < 19.1.6 | 19.1.6 |
| meta | react-server-dom-webpack | 19.1.0 – 19.1.5 | — |
| meta | react-server-dom-webpack | >= 19.2.0 < 19.2.5 | 19.2.5 |
| meta | react-server-dom-webpack | 19.2.0 – 19.2.4 | — |
| next | next | >= 13.0.0 < 15.5.15 | 15.5.15 |
| next | next | >= 16.0.0-beta.0 < 16.2.3 | 16.2.3 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
React Server Components have a Denial of Service Vulnerability
ghsa·2026-04-10
CVE-2026-23869 [HIGH] CWE-400 React Server Components have a Denial of Service Vulnerability
React Server Components have a Denial of Service Vulnerability
## Impact
A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack versions 19.0.0, 19.1.0 and 19.2.0. The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.
The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.
We recommend updating immediately.
The vulnerability exists in versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4 of:
[react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)
[react-server-dom-parcel](https://www.npmjs.com
GHSA
Next.js has a Denial of Service with Server Components
ghsa·2026-04-10·CVSS 7.5
CVE-2026-23869 [HIGH] CWE-770 Next.js has a Denial of Service with Server Components
Next.js has a Denial of Service with Server Components
A vulnerability affects certain React Server Components packages for versions 19.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as [CVE-2026-23869](https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg). You can read more about this advisory our [this changelog](https://vercel.com/changelog/summary-of-cve-2026-23869).
A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage. This can result in denial of service in unpatched environments.
Red Hat
react-server-dom-parcel: react-server-dom-turbopack: react-server-dom-webpack: denial of service via specially crafted HTTP requests to Server Function endpoints
vendor_redhat·2026-04-08·CVSS 7.5
CVE-2026-23869 [HIGH] CWE-770 react-server-dom-parcel: react-server-dom-turbopack: react-server-dom-webpack: denial of service via specially crafted HTTP requests to Server Function endpoints
react-server-dom-parcel: react-server-dom-turbopack: react-server-dom-webpack: denial of service via specially crafted HTTP requests to Server Function endpoints
A flaw was found in react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack. Specially crafted HTTP requests to server function endpoints can result in an excessive consumption of CPU resources for up to a minute, causing an error that is catchable.
Statement: Applications are not vulnerable to this issue if they do not use a server, or if they do not use a framework, bundler, or plugin that supports React server components.
This vulnerability allows an unauthenticated remote attacker to cause a denial of service. Due to these reasons, this flaw has been rated with an important severity.
Mitigation: Red
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-23869 react-server-dom-parcel: react-server-dom-turbopack: react-server-dom-webpack: denial of service via specially crafted HTTP requests to Server Function endpoints
bugzilla·2026-04-08·CVSS 7.5
CVE-2026-23869 [HIGH] CVE-2026-23869 react-server-dom-parcel: react-server-dom-turbopack: react-server-dom-webpack: denial of service via specially crafted HTTP requests to Server Function endpoints
CVE-2026-23869 react-server-dom-parcel: react-server-dom-turbopack: react-server-dom-webpack: denial of service via specially crafted HTTP requests to Server Function endpoints
A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.
Hackernews
⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More
blogs_hackernews·2026-04-13·CVSS 8.6
[HIGH] ⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More
Monday is back, and the weekend’s backlog of chaos is officially hitting the fan. We are tracking a critical zero-day that has been quietly living in your PDFs for months, plus some aggressive state-sponsored meddling in infrastructure that is finally coming to light. It is one of those mornings where the gap between a quiet shift and a full-blown incident response is basically non-existent.
The variety this week is particularly nasty. We have AI models being turned into autonomous exploit engines, North Korean groups playing the long game
2026-04-08
Published