Denial of Service Vulnerability in React Server Components by Facebook
CVE-2026-23869

7.5HIGH

Key Information:

Vendor: Meta
Status: React-server-dom-turbopack; React-server-dom-parcel; React-server-dom-webpack
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-23869?

A denial of service vulnerability impacts React Server Components, specifically in the react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack packages. This vulnerability is exploited by sending specially crafted HTTP requests to Server Function endpoints, resulting in excessive CPU usage for an extended period. The payload generated by the attack can lead to a thrown error that is catchable, potentially disrupting service availability.

Affected Version(s)

react-server-dom-parcel 19.0.0 <= 19.0.4

react-server-dom-parcel 19.1.0 <= 19.1.5

react-server-dom-parcel 19.2.0 <= 19.2.4

References

https://github.com/facebook/react/security/advisories/GHS...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Jan 16, 2026

CVE-2026-23869 Data

JSON

Meta

What is CVE-2026-23869?

Affected Version(s)

References

CVSS V3.1

Timeline