High severity7.5NVD Advisory· Published Apr 8, 2026· Updated Apr 8, 2026
CVE-2026-23869
CVE-2026-23869
Description
A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
react-server-dom-parcelnpm | >= 19.0.0, < 19.0.5 | 19.0.5 |
react-server-dom-parcelnpm | >= 19.1.0, < 19.1.6 | 19.1.6 |
react-server-dom-parcelnpm | >= 19.2.0, < 19.2.5 | 19.2.5 |
react-server-dom-turbopacknpm | >= 19.0.0, < 19.0.5 | 19.0.5 |
react-server-dom-turbopacknpm | >= 19.1.0, < 19.1.6 | 19.1.6 |
react-server-dom-turbopacknpm | >= 19.2.0, < 19.2.5 | 19.2.5 |
react-server-dom-webpacknpm | >= 19.0.0, < 19.0.5 | 19.0.5 |
react-server-dom-webpacknpm | >= 19.1.0, < 19.1.6 | 19.1.6 |
react-server-dom-webpacknpm | >= 19.2.0, < 19.2.5 | 19.2.5 |
Affected products
1- Range: >=19.0.0,<=19.2.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.