CVE-2026-23869

HIGH

Meta React-server-dom-turbopack < 19.0.4 - Denial of Service

Title source: rule

Description

A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.

Exploits (2)

nomisec WORKING POC 1 stars

by cybertechajju · poc

https://github.com/cybertechajju/CVE-2026-23869-Exploit

View Code ZIP pw:eip

nomisec SUSPICIOUS

by yohannslm · poc

https://github.com/yohannslm/CVE-2026-23869

View Code ZIP pw:eip

References (1)

[X_Refsource_Confirm] https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg

Scores

CVSS v3 7.5

EPSS 0.0073

EPSS Percentile 72.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-400 CWE-502

Status published

Products (12)

Meta/react-server-dom-parcel 19.0.0 - 19.0.4

Meta/react-server-dom-parcel 19.1.0 - 19.1.5

Meta/react-server-dom-parcel 19.2.0 - 19.2.4

Meta/react-server-dom-turbopack 19.0.0 - 19.0.4

Meta/react-server-dom-turbopack 19.1.0 - 19.1.5

Meta/react-server-dom-turbopack 19.2.0 - 19.2.4

Meta/react-server-dom-webpack 19.0.0 - 19.0.4

Meta/react-server-dom-webpack 19.1.0 - 19.1.5

Meta/react-server-dom-webpack 19.2.0 - 19.2.4

npm/react-server-dom-parcel 19.0.0 - 19.0.5npm

... and 2 more

Published Apr 08, 2026

Tracked Since Apr 09, 2026