Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from Vendor (fb).
CVSS VectorVendor: fb
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 10 npm packages depend on react-server-dom-webpack (6 direct, 4 indirect)
Ecosystem-wide dependent count for version 19.0.0.
DescriptionCVE.org
A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.
AnalysisAI
Denial of service in React Server Components (react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack versions 19.0.0-19.0.4, 19.1.0-19.1.5, 19.2.0-19.2.4) allows unauthenticated remote attackers to cause excessive CPU consumption lasting up to one minute via specially crafted HTTP requests to Server Function endpoints. The malicious payload triggers resource exhaustion without requiring authentication or user interaction. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS unavailable).
Technical ContextAI
CWE-400 uncontrolled resource consumption vulnerability in Server Function request parsing logic. Malformed HTTP payload triggers algorithmic complexity attack causing sustained CPU spike until catchable error thrown. Root cause lies in insufficient input validation and resource throttling in server-side rendering component request handlers.
RemediationAI
Vendor-released patches available per GitHub Security Advisory GHSA-479c-33wc-g2pg. Upgrade affected packages to patched versions immediately. Primary mitigation: update react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack to latest stable release beyond 19.2.4 series. Interim workarounds: implement rate limiting and request timeout controls on Server Function endpoints; deploy web application firewall rules to detect and block malformed Server Component requests; monitor CPU utilization metrics for anomalous spikes. Advisory reference: https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg. Organizations unable to patch immediately should consider temporarily disabling Server Function endpoints or restricting access to trusted networks only.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20584
GHSA-479c-33wc-g2pg