CVE-2026-23870

HIGH LAB

react-server-dom-webpack 19.0.0-19.0.5, 19.1.0-19.1.6, 19.2.0-19.2.5 - DoS via Crafted HTTP Requests

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-23870. PoCs published by dwisiswant0, XZ1r0, emresandikci.

AI-analyzed exploit summary This repository contains functional exploit code for CVE-2026-23870, a React server-action stream DoS vulnerability in Next.js v16.2.4. It includes detailed technical analysis, vulnerable code excerpts, and runnable exploit scripts.

Description

A denial of service vulnerability could be triggered by sending specially crafted HTTP requests to server function endpoints, this could lead to server crashes, out-of-memory exceptions or excessive CPU usage; affecting the following packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (versions 19.0.0 through 19.0.5, 19.1.0 through 19.1.6, and 19.2.0 through 19.2.5).

Exploits (3)

github WORKING POC 1 stars
by dwisiswant0 · pythonpoc
https://github.com/dwisiswant0/next-16.2.4-pocs

This repository contains functional exploit code for CVE-2026-23870, a React server-action stream DoS vulnerability in Next.js v16.2.4. It includes detailed technical analysis, vulnerable code excerpts, and runnable exploit scripts.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Next.js v16.2.4
No auth needed
Prerequisites: Vulnerable Next.js v16.2.4 target
devstral-2 · analyzed May 08, 2026 Full analysis →
github WORKING POC
by XZ1r0 · pythonpoc
https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/other/next-16.2.4-pocs/poc/CVE-2026-23870_GHSA-8h8q-6873-q5fj

This repository contains a functional exploit for CVE-2026-23870, a DoS vulnerability in Next.js (pre-16.2.5) caused by unbounded recursion in the RSC (React Server Components) reply parser. The exploit constructs a cyclic RSC payload that exhausts CPU resources when processed by vulnerable versions of Next.js.

Classification
Working Poc 100%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Next.js < 16.2.5
No auth needed
Prerequisites: A Next.js server with server actions enabled
devstral-2 · analyzed May 21, 2026 Full analysis →
nomisec SCANNER
by emresandikci · poc
https://github.com/emresandikci/nextjs-cve-2026-23870-checker

This repository provides a CLI tool to scan and fix Next.js projects affected by CVE-2026-23870 and related vulnerabilities. It checks package versions and suggests updates but does not contain exploit code.

Classification
Scanner 100%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Next.js (versions 13.x, 14.x, 15.x, 16.x)
No auth needed
Prerequisites: Next.js project with vulnerable dependencies
devstral-2 · analyzed May 14, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 7.5
EPSS 0.0034
EPSS Percentile 56.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Lab Environment

COMMUNITY SUSPICIOUS
Community Lab

Details

Status published
Products (18)
Meta/react-server-dom-parcel 19.0.0 - 19.0.5
Meta/react-server-dom-parcel 19.1.0 - 19.1.6
Meta/react-server-dom-parcel 19.2.0 - 19.2.5
Meta/react-server-dom-turbopack 19.0.0 - 19.0.5
Meta/react-server-dom-turbopack 19.1.0 - 19.1.6
Meta/react-server-dom-turbopack 19.2.0 - 19.2.5
Meta/react-server-dom-webpack 19.0.0 - 19.0.5
Meta/react-server-dom-webpack 19.1.0 - 19.1.6
Meta/react-server-dom-webpack 19.2.0 - 19.2.5
npm/react-server-dom-parcel 19.0.0 - 19.0.6npm
... and 8 more
Published May 06, 2026
Tracked Since May 06, 2026