Skip to main content

React Server Components CVE-2026-23870

| EUVDEUVD-2026-27867 HIGH
2026-05-06 Meta GHSA-rv78-f8rc-xrxh
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 06, 2026 - 17:33 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 10 npm packages depend on react-server-dom-webpack (6 direct, 4 indirect)

Ecosystem-wide dependent count for version 19.0.0.

DescriptionCVE.org

A denial of service vulnerability could be triggered by sending specially crafted HTTP requests to server function endpoints, this could lead to server crashes, out-of-memory exceptions or excessive CPU usage; affecting the following packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (versions 19.0.0 through 19.0.5, 19.1.0 through 19.1.6, and 19.2.0 through 19.2.5).

AnalysisAI

Remote denial of service in React Server Components (react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack) versions 19.0.0-19.0.5, 19.1.0-19.1.6, and 19.2.0-19.2.5 allows unauthenticated remote attackers to crash servers, trigger out-of-memory exceptions, or exhaust CPU resources by sending specially crafted HTTP requests to server function endpoints. The CVSS 7.5 score reflects network-accessible, low-complexity exploitation requiring no privileges or user interaction, with high availability impact. No public exploit code or active exploitation confirmed at time of analysis, though EPSS data unavailable and vulnerability disclosed by Meta directly.

Technical ContextAI

This vulnerability affects React Server Components (RSC), Meta's framework for server-side rendering React applications with server-client data streaming. The affected packages (react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack) are bundler-specific implementations that handle serialization and deserialization of server function calls over HTTP. The vulnerability lies in how these packages process HTTP requests targeting server function endpoints, likely involving inadequate input validation, resource limits, or error handling in the request parsing or execution layer. Without a CWE classification, the root cause class is unspecified, but the symptoms (crashes, OOM, CPU exhaustion) suggest potential issues such as algorithmic complexity attacks, unbounded resource consumption, or improper handling of malformed payloads during server action invocations.

RemediationAI

Upgrade to patched versions immediately per Meta's security advisory at https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh (exact patched versions not specified in provided data but likely 19.0.6+, 19.1.7+, and 19.2.6+ based on affected version ranges). Until patching is possible, implement rate limiting on server function endpoints to mitigate CPU exhaustion and memory consumption attacks, though this does not prevent crashes from malformed requests. Deploy application-layer firewalls or reverse proxies with request size limits and payload validation to filter malicious HTTP requests before they reach React Server Components. Monitor server resource usage (CPU, memory) and configure automatic restarts with crash recovery to maintain availability during potential attacks, though this is a reactive control that does not prevent exploitation. Consider temporarily disabling server functions in non-critical features if patching cannot be deployed immediately, though this may impact application functionality. Note that rate limiting may affect legitimate high-volume users, and payload filtering requires understanding valid request patterns to avoid blocking legitimate traffic.

Vendor StatusVendor

Share

CVE-2026-23870 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy