High severity7.5NVD Advisory· Published Apr 8, 2026· Updated Apr 8, 2026
CVE-2026-23869
CVE-2026-23869
Description
A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
react-server-dom-parcelnpm | >= 19.0.0, < 19.0.5 | 19.0.5 |
react-server-dom-parcelnpm | >= 19.1.0, < 19.1.6 | 19.1.6 |
react-server-dom-parcelnpm | >= 19.2.0, < 19.2.5 | 19.2.5 |
react-server-dom-turbopacknpm | >= 19.0.0, < 19.0.5 | 19.0.5 |
react-server-dom-turbopacknpm | >= 19.1.0, < 19.1.6 | 19.1.6 |
react-server-dom-turbopacknpm | >= 19.2.0, < 19.2.5 | 19.2.5 |
react-server-dom-webpacknpm | >= 19.0.0, < 19.0.5 | 19.0.5 |
react-server-dom-webpacknpm | >= 19.1.0, < 19.1.6 | 19.1.6 |
react-server-dom-webpacknpm | >= 19.2.0, < 19.2.5 | 19.2.5 |
Affected products
3- ghsa-coords3 versions
>= 19.0.0, < 19.0.5+ 2 more
- (no CPE)range: >= 19.0.0, < 19.0.5
- (no CPE)range: >= 19.0.0, < 19.0.5
- (no CPE)range: >= 19.0.0, < 19.0.5
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.