Denial of Service Vulnerability in React Server Components by Facebook

CVE-2026-23869

What is CVE-2026-23869?

CVE-2026-23869 is a denial of service vulnerability found in React Server Components, a framework developed by Meta for building user interfaces in web applications. This vulnerability specifically affects packages within the React ecosystem, including react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack, across multiple versions. The exploit is initiated by sending crafted HTTP requests to the Server Function endpoints, causing excessive CPU usage that can degrade the performance of the affected server. The resulting high resource consumption can lead to service interruptions, affecting the availability of applications relying on these components.

Potential impact of CVE-2026-23869

1. Service Downtime: Organizations utilizing affected React Server Components may experience significant service disruptions due to increased CPU usage, potentially leading to unavailability of their web applications for users.

2. Resource Drain: The excessive CPU load triggered by this vulnerability can strain server resources, resulting in reduced performance not just for vulnerable applications but also for others hosted on the same infrastructure.

3. Operational Costs: Prolonged denial of service incidents may lead to increased operational costs, as organizations could face expenses related to infrastructure scaling, incident response, and customer support during downtimes.

News Articles

It Security News

CVE-2026-23869

React2DoS (CVE-2026-23869): When the Flight Protocol Crashes at Takeoff - IT Security News

Executive Summary In this article, we disclose a new high severity unauthenticated remote denial‑of‑service vulnerability we identified and reported in React Server Components that we’ve dubbed “React2DoS”.  In this blog, we’ll analyze its impact and place it in the broader…Read more →

3 weeks ago

References