CVE-2026-23870 PUBLISHED

Assigner: Meta
Reserved: 16.01.2026 Published: 06.05.2026 Updated: 06.05.2026

A denial of service vulnerability could be triggered by sending specially crafted HTTP requests to server function endpoints, this could lead to server crashes, out-of-memory exceptions or excessive CPU usage; affecting the following packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (versions 19.0.0 through 19.0.5, 19.1.0 through 19.1.6, and 19.2.0 through 19.2.5).

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Meta
Product	react-server-dom-turbopack
Versions	Default: unaffected affected from 19.0.0 to 19.0.5 (incl.) affected from 19.1.0 to 19.1.6 (incl.) affected from 19.2.0 to 19.2.5 (incl.)

Vendor	Meta
Product	react-server-dom-parcel
Versions	Default: unaffected affected from 19.0.0 to 19.0.5 (incl.) affected from 19.1.0 to 19.1.6 (incl.) affected from 19.2.0 to 19.2.5 (incl.)

Vendor	Meta
Product	react-server-dom-webpack
Versions	Default: unaffected affected from 19.0.0 to 19.0.5 (incl.) affected from 19.1.0 to 19.1.6 (incl.) affected from 19.2.0 to 19.2.5 (incl.)

References

https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh

Problem Types

(CWE-502) Deserialization of Untrusted Data, (CWE-400) Uncontrolled Resource Consumption