Description
A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.
Published: 2026-04-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

A vulnerability in React Server Components allows attackers to trigger excessive CPU consumption by sending crafted HTTP requests to Server Function endpoints. The request payload forces the server to perform intensive processing for up to a minute before raising a catchable error, which can render the application unresponsive. This resource exhaustion leads to a denial of service for users of the affected application.

Affected Systems

The vulnerability affects Meta's React Server Components packages: react-server-dom-parcel versions 19.0.0 through 19.0.4, react-server-dom-turbopack versions 19.1.0 through 19.1.5, and react-server-dom-webpack versions 19.2.0 through 19.2.4.

Risk and Exploitability

The CVSS score of 7.5 rates this vulnerability as high severity. However, the EPSS score is below 1 % and the issue is not listed in the CISA KEV catalog, suggesting a low probability of widespread exploitation. The attack vector is network‑based; an attacker can send the crafted request over HTTP directly to the server function endpoint, causing the target server to consume excessive CPU resources. Because the error thrown is catchable, the application may recover, but the temporary denial of service can impact user experience and system stability.

Generated by OpenCVE AI on April 11, 2026 at 01:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Determine the current versions of react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack in your codebase.
  • Upgrade each package to a version outside the affected ranges (for example, 19.0.5 or later for react-server-dom-parcel, 19.1.6 or later for react-server-dom-turbopack, and 19.2.5 or later for react-server-dom-webpack) or to the latest release available.
  • Verify the upgraded packages by running unit tests and functional tests in a staging environment before deploying to production.
  • Deploy the updated packages to production once testing is successful.
  • Monitor CPU usage and logs after deployment to confirm that the denial‑of‑service behavior no longer occurs.

Generated by OpenCVE AI on April 11, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-479c-33wc-g2pg React Server Components have a Denial of Service Vulnerability
History

Sat, 11 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Title CPU‑Exhaustion Denial of Service in React Server Components react-server-dom-parcel: react-server-dom-turbopack: react-server-dom-webpack: denial of service via specially crafted HTTP requests to Server Function endpoints
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title CPU‑Exhaustion Denial of Service in React Server Components
First Time appeared Facebook
Facebook react-server-dom-parcel
Facebook react-server-dom-turbopack
Facebook react-server-dom-webpack
Vendors & Products Facebook
Facebook react-server-dom-parcel
Facebook react-server-dom-turbopack
Facebook react-server-dom-webpack

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
CWE-502
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Description A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Facebook React-server-dom-parcel React-server-dom-turbopack React-server-dom-webpack
cve-icon MITRE

Status: PUBLISHED

Assigner: Meta

Published:

Updated: 2026-04-08T19:56:22.791Z

Reserved: 2026-01-16T19:49:26.309Z

Link: CVE-2026-23869

cve-icon Vulnrichment

Updated: 2026-04-08T19:53:45.958Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T20:16:23.003

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-23869

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-08T19:11:08Z

Links: CVE-2026-23869 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:25:06Z

Weaknesses