Executive Summary

CVE-2026-23869 is a high-severity denial of service (DoS) vulnerability in React Server Components affecting the npm packages react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack in certain versions.

The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints, which causes excessive CPU usage for up to one minute and results in a thrown, catchable error.

This issue arises from deserialization of untrusted data without sufficient validation, leading to uncontrolled resource consumption.

It can be exploited remotely over the network without any privileges or user interaction.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can severely impact the availability of applications using the affected React Server Components packages.

By sending specially crafted HTTP requests, an attacker can cause excessive CPU usage, potentially making the service unresponsive or slow for up to a minute.

Although it does not affect confidentiality or integrity, the denial of service can disrupt normal operations and degrade user experience.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints, causing excessive CPU usage for up to one minute and resulting in a thrown, catchable error.

Detection can involve monitoring for unusual spikes in CPU usage on systems running affected React Server Components packages (react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4).

Network detection may include capturing and analyzing HTTP requests to identify unusually crafted payloads targeting Server Function endpoints.

• Use system monitoring tools like 'top' or 'htop' on Linux to observe CPU usage spikes.
• Use network traffic analysis tools such as 'tcpdump' or 'Wireshark' to capture HTTP requests and inspect for suspicious payloads.
• Use command-line tools like 'curl' or 'httpie' to manually send test HTTP requests to Server Function endpoints to observe if the system exhibits excessive CPU usage or throws errors.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability is a denial of service (DoS) issue that impacts availability by causing excessive CPU usage and service disruption. It does not affect confidentiality or integrity of data.

Since the vulnerability does not compromise confidentiality or integrity, it does not directly lead to data breaches or unauthorized data access that are typically critical for compliance with standards like GDPR or HIPAA.

However, the availability impact could affect compliance if the affected systems are required to maintain high availability or continuous service as part of regulatory requirements or service level agreements.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the affected React Server Components packages to fixed versions.

• Upgrade react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack to versions 19.0.5, 19.1.6, or 19.2.5 or later.

If upgrading immediately is not possible, consider restricting or filtering incoming HTTP requests to Server Function endpoints to prevent specially crafted payloads from reaching the server.

Monitor system resources to detect and respond to unusual CPU usage patterns that may indicate exploitation attempts.

Applications not using React Server Components or not using a framework, bundler, or bundler plugin supporting React Server Components are not affected.

Useful 0 Not Useful 0