CVE-2026-23869

HIGH

React Server Components 19.0.0-19.0.4 19.1.0-19.1.5 19.2.0-19.2.4 - Denial of Service via Crafted HTTP Requests

Title source: llm

Exploitation Summary

EIP tracks 4 public exploits for CVE-2026-23869. PoCs published by adminlove520, cybertechajju, XZ1r0.

AI-analyzed exploit summary The repository claims to provide a PoC for CVE-2026-23869 but only includes a README with a link to an external gist. No actual exploit code is present in the repo, and the description lacks technical details about the vulnerability.

Description

A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.

Exploits (4)

github SUSPICIOUS 3 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-23869

View Code ZIP pw:eip

The repository claims to provide a PoC for CVE-2026-23869 but only includes a README with a link to an external gist. No actual exploit code is present in the repo, and the description lacks technical details about the vulnerability.

Classification

Suspicious 90%

Attack Type

Dos

Complexity

Theoretical

Reliability

Theoretical

Target: React Server Components before 19.2.5

No auth needed

Prerequisites: valid action-id

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed May 05, 2026 Full analysis →

nomisec WORKING POC 1 stars

by cybertechajju · poc

https://github.com/cybertechajju/CVE-2026-23869-Exploit

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-23869, a DoS vulnerability in React Server Components. The exploit leverages a crafted Flight protocol payload with self-referencing $Q markers to trigger quadratic CPU exhaustion in vulnerable React versions.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: React Server Components (react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack) before 19.2.5

No auth needed

Prerequisites: Target must be running a vulnerable version of React Server Components · Target must be accessible via HTTP

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Apr 11, 2026 Full analysis →

github WORKING POC

by XZ1r0 · pythonpoc

https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/other/CVE-2026-23869-Exploit

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-23869, a DoS vulnerability in React Server Components. The exploit leverages a quadratic complexity issue in the Flight protocol deserialization, causing CPU exhaustion through crafted HTTP requests.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: React Server Components <= 19.2.4, Next.js < 15.5.15

No auth needed

Prerequisites: Target must be running vulnerable React Server Components or Next.js · Server Action IDs must be extracted from the target

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed May 21, 2026 Full analysis →

nomisec SUSPICIOUS

by yohannslm · poc

https://github.com/yohannslm/CVE-2026-23869

View Code ZIP pw:eip

The repository claims to contain a PoC for CVE-2026-23869, a DoS vulnerability in React Server Components, but only provides a link to an external gist without including actual exploit code. The README lacks technical details and relies on an external source.

Classification

Suspicious 90%

Attack Type

Dos

Complexity

Theoretical

Reliability

Theoretical

Target: React Server Components before 19.2.5

No auth needed

Prerequisites: valid action-id

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Apr 10, 2026 Full analysis →

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg

Scores

CVSS v3 7.5

EPSS 0.0084

EPSS Percentile 75.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-400 CWE-502

Status published

Products (12)

Meta/react-server-dom-parcel 19.0.0 - 19.0.4

Meta/react-server-dom-parcel 19.1.0 - 19.1.5

Meta/react-server-dom-parcel 19.2.0 - 19.2.4

Meta/react-server-dom-turbopack 19.0.0 - 19.0.4

Meta/react-server-dom-turbopack 19.1.0 - 19.1.5

Meta/react-server-dom-turbopack 19.2.0 - 19.2.4

Meta/react-server-dom-webpack 19.0.0 - 19.0.4

Meta/react-server-dom-webpack 19.1.0 - 19.1.5

Meta/react-server-dom-webpack 19.2.0 - 19.2.4

npm/react-server-dom-parcel 19.0.0 - 19.0.5npm

... and 2 more

Published Apr 08, 2026

Tracked Since Apr 09, 2026