EUVD-2026-20584
GHSA-479c-33wc-g2pg
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Tags
Description
A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.
Analysis
Denial of service in React Server Components (react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack versions 19.0.0-19.0.4, 19.1.0-19.1.5, 19.2.0-19.2.4) allows unauthenticated remote attackers to cause excessive CPU consumption lasting up to one minute via specially crafted HTTP requests to Server Function endpoints. The malicious payload triggers resource exhaustion without requiring authentication or user interaction. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all production and staging environments running React Server Components versions 19.0.0-19.2.4 using dependency scanning tools (npm audit, Software Composition Analysis). Within 7 days: Implement rate-limiting and request throttling on Server Function endpoints to mitigate CPU exhaustion; document affected component versions and systems. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today