CVE-2026-23870
Denial of Service in React Server DOM Packages
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: Facebook, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a denial of service (DoS) issue that can be triggered by sending specially crafted HTTP requests to certain server function endpoints.
When exploited, it can cause the server to crash, throw out-of-memory exceptions, or experience excessive CPU usage.
It affects specific versions of the packages react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.
How can this vulnerability impact me? :
The impact of this vulnerability is primarily a denial of service condition.
An attacker could cause your server to crash or become unresponsive by sending malicious HTTP requests.
This could lead to service outages, degraded performance due to high CPU usage, or resource exhaustion from out-of-memory errors.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability described is a denial of service issue that can cause server crashes, out-of-memory exceptions, or excessive CPU usage. It does not directly impact confidentiality or integrity of data.
Since the vulnerability does not involve unauthorized access to or disclosure of personal or sensitive data, it does not directly affect compliance with standards such as GDPR or HIPAA, which primarily focus on data protection and privacy.
However, denial of service incidents can indirectly affect availability requirements under these regulations, as they may disrupt service availability and access to data.