VYPR
High severity7.5GHSA Advisory· Published May 6, 2026· Updated May 7, 2026

CVE-2026-23870

CVE-2026-23870

Description

A denial of service vulnerability could be triggered by sending specially crafted HTTP requests to server function endpoints, this could lead to server crashes, out-of-memory exceptions or excessive CPU usage; affecting the following packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (versions 19.0.0 through 19.0.5, 19.1.0 through 19.1.6, and 19.2.0 through 19.2.5).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
react-server-dom-parcelnpm
>= 19.0.0, < 19.0.619.0.6
react-server-dom-turbopacknpm
>= 19.0.0, < 19.0.619.0.6
react-server-dom-webpacknpm
>= 19.0.0, < 19.0.619.0.6
react-server-dom-parcelnpm
>= 19.1.0, < 19.1.719.1.7
react-server-dom-turbopacknpm
>= 19.1.0, < 19.1.719.1.7
react-server-dom-webpacknpm
>= 19.1.0, < 19.1.719.1.7
react-server-dom-parcelnpm
>= 19.2.0, < 19.2.619.2.6
react-server-dom-turbopacknpm
>= 19.2.0, < 19.2.619.2.6
react-server-dom-webpacknpm
>= 19.2.0, < 19.2.619.2.6

Affected products

4

Patches

Vulnerability mechanics

References

5

News mentions

1