React patches Server Function DoS in React Server Components

1 min readPublished 08 Apr 2026Source: GitHub Security Advisory (facebook/react)

CVE-2026-23869 News Web Security JavaScript

TL;DR — React Server Components can be DoS’d via crafted requests to Server Function endpoints that drive excessive CPU usage for up to ~1 minute per request.

What happened

React Server Components (RSC) are React’s server-rendering architecture used by frameworks/bundlers to stream server-rendered UI and invoke “Server Functions” over HTTP. A new advisory reports a denial-of-service condition where specially crafted HTTP requests to Server Function endpoints can trigger excessive CPU usage for up to a minute, ending in a catchable error.

This is operationally important because Server Function endpoints are often internet-reachable (directly or via an app gateway), making CPU-bound DoS a realistic availability risk for teams running RSC at scale.

Who is impacted

Deployments using React Server Components via the following npm packages:

Package	Affected versions (per advisory)	Patched versions (per advisory)
`react-server-dom-parcel`	`19.0.0`–`19.0.4`, `19.1.0`–`19.1.5`, `19.2.0`–`19.2.4`	`19.0.5`, `19.1.6`, `19.2.5`
`react-server-dom-turbopack`	`19.0.0`–`19.0.4`, `19.1.0`–`19.1.5`, `19.2.0`–`19.2.4`	`19.0.5`, `19.1.6`, `19.2.5`
`react-server-dom-webpack`	`19.0.0`–`19.0.4`, `19.1.0`–`19.1.5`, `19.2.0`–`19.2.4`	`19.0.5`, `19.1.6`, `19.2.5`

Per the advisory, apps that do not use a server or do not use a framework/bundler (or plugin) that supports React Server Components are not affected.

What to do now

Follow vendor remediation guidance and apply a patched release.

"We recommend updating immediately."

"If you are using any of the above packages please upgrade to any of the fixed versions immediately."
Inventory where RSC / Server Function endpoints are exposed (edge, ingress, API gateway, service mesh) and prioritize patching externally reachable services first.
As defense-in-depth (especially if upgrade rollout will take time), consider tightening request-rate controls and CPU/timeout safeguards around Server Function endpoints to reduce the blast radius of CPU-amplification requests.

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.