Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1Blast Radius
ecosystem impact- 10 npm packages depend on react-server-dom-webpack (6 direct, 4 indirect)
Ecosystem-wide dependent count for version 19.0.0.
DescriptionCVE.org
A denial of service vulnerability could be triggered by sending specially crafted HTTP requests to server function endpoints, this could lead to server crashes, out-of-memory exceptions or excessive CPU usage; affecting the following packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (versions 19.0.0 through 19.0.5, 19.1.0 through 19.1.6, and 19.2.0 through 19.2.5).
AnalysisAI
Remote denial of service in React Server Components (react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack) versions 19.0.0-19.0.5, 19.1.0-19.1.6, and 19.2.0-19.2.5 allows unauthenticated remote attackers to crash servers, trigger out-of-memory exceptions, or exhaust CPU resources by sending specially crafted HTTP requests to server function endpoints. The CVSS 7.5 score reflects network-accessible, low-complexity exploitation requiring no privileges or user interaction, with high availability impact. No public exploit code or active exploitation confirmed at time of analysis, though EPSS data unavailable and vulnerability disclosed by Meta directly.
Technical ContextAI
This vulnerability affects React Server Components (RSC), Meta's framework for server-side rendering React applications with server-client data streaming. The affected packages (react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack) are bundler-specific implementations that handle serialization and deserialization of server function calls over HTTP. The vulnerability lies in how these packages process HTTP requests targeting server function endpoints, likely involving inadequate input validation, resource limits, or error handling in the request parsing or execution layer. Without a CWE classification, the root cause class is unspecified, but the symptoms (crashes, OOM, CPU exhaustion) suggest potential issues such as algorithmic complexity attacks, unbounded resource consumption, or improper handling of malformed payloads during server action invocations.
RemediationAI
Upgrade to patched versions immediately per Meta's security advisory at https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh (exact patched versions not specified in provided data but likely 19.0.6+, 19.1.7+, and 19.2.6+ based on affected version ranges). Until patching is possible, implement rate limiting on server function endpoints to mitigate CPU exhaustion and memory consumption attacks, though this does not prevent crashes from malformed requests. Deploy application-layer firewalls or reverse proxies with request size limits and payload validation to filter malicious HTTP requests before they reach React Server Components. Monitor server resource usage (CPU, memory) and configure automatic restarts with crash recovery to maintain availability during potential attacks, though this is a reactive control that does not prevent exploitation. Consider temporarily disabling server functions in non-critical features if patching cannot be deployed immediately, though this may impact application functionality. Note that rate limiting may affect legitimate high-volume users, and payload filtering requires understanding valid request patterns to avoid blocking legitimate traffic.
Same technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27867
GHSA-rv78-f8rc-xrxh