HIGH SeverityCVSS 3.17.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2026-23869
Last updated Apr 08, 2026 · Published Apr 08, 2026
Description
A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.
Affected products
1 listed- Meta:react-server-dom-parcel; Meta:react-server-dom-turbopack; Meta:react-server-dom-webpack
Mappings
CWE
CWE-400; CWE-502
CAPEC
None listed.
CVE® content © MITRE Corporation. Licensed under the CVE Terms of Use. Terms