Skip to main content

React Server Components CVE-2026-23869

| EUVDEUVD-2026-20584 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-04-08 cve-assign@fb.com GHSA-479c-33wc-g2pg
7.5
CVSS 3.1 · Vendor: fb
Share

Severity by source

Vendor (fb) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (fb).

CVSS VectorVendor: fb

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Apr 10, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 08, 2026 - 20:23 euvd
EUVD-2026-20584
Analysis Generated
Apr 08, 2026 - 20:23 vuln.today
CVE Published
Apr 08, 2026 - 20:16 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 10 npm packages depend on react-server-dom-webpack (6 direct, 4 indirect)

Ecosystem-wide dependent count for version 19.0.0.

DescriptionCVE.org

A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.

AnalysisAI

Denial of service in React Server Components (react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack versions 19.0.0-19.0.4, 19.1.0-19.1.5, 19.2.0-19.2.4) allows unauthenticated remote attackers to cause excessive CPU consumption lasting up to one minute via specially crafted HTTP requests to Server Function endpoints. The malicious payload triggers resource exhaustion without requiring authentication or user interaction. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS unavailable).

Technical ContextAI

CWE-400 uncontrolled resource consumption vulnerability in Server Function request parsing logic. Malformed HTTP payload triggers algorithmic complexity attack causing sustained CPU spike until catchable error thrown. Root cause lies in insufficient input validation and resource throttling in server-side rendering component request handlers.

RemediationAI

Vendor-released patches available per GitHub Security Advisory GHSA-479c-33wc-g2pg. Upgrade affected packages to patched versions immediately. Primary mitigation: update react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack to latest stable release beyond 19.2.4 series. Interim workarounds: implement rate limiting and request timeout controls on Server Function endpoints; deploy web application firewall rules to detect and block malformed Server Component requests; monitor CPU utilization metrics for anomalous spikes. Advisory reference: https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg. Organizations unable to patch immediately should consider temporarily disabling Server Function endpoints or restricting access to trusted networks only.

Vendor StatusVendor

Share

CVE-2026-23869 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy