CVE-2026-23869 PUBLISHED

Assigner: Meta
Reserved: 16.01.2026 Published: 08.04.2026 Updated: 08.04.2026

A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Meta
Product	react-server-dom-turbopack
Versions	Default: unaffected affected from 19.0.0 to 19.0.4 (incl.) affected from 19.1.0 to 19.1.5 (incl.) affected from 19.2.0 to 19.2.4 (incl.)

Vendor	Meta
Product	react-server-dom-parcel
Versions	Default: unaffected affected from 19.0.0 to 19.0.4 (incl.) affected from 19.1.0 to 19.1.5 (incl.) affected from 19.2.0 to 19.2.4 (incl.)

Vendor	Meta
Product	react-server-dom-webpack
Versions	Default: unaffected affected from 19.0.0 to 19.0.4 (incl.) affected from 19.1.0 to 19.1.5 (incl.) affected from 19.2.0 to 19.2.4 (incl.)

References

https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg

Problem Types

(CWE-502) Deserialization of Untrusted Data, (CWE-400) Uncontrolled Resource Consumption