Denial of Service Vulnerability in React Server Packages by Facebook

CVE-2026-23870

What is CVE-2026-23870?

CVE-2026-23870 is a denial of service vulnerability found in Meta's React Server Packages, specifically affecting versions 19.0.0 through 19.2.5 of packages such as react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. This vulnerability arises when a server processes specially crafted HTTP requests directed at its function endpoints. When triggered, the vulnerability can lead to severe operational issues, including server crashes, out-of-memory exceptions, and excessive CPU usage. Organizations utilizing these packages for building and deploying applications may face significant downtime and performance degradation should this vulnerability be exploited.

Potential impact of CVE-2026-23870

1. Service Disruption: The denial of service nature of this vulnerability can cause complete server outages, impacting the availability of services for end users, potentially leading to lost revenue and a damaged reputation.

2. Resource Exhaustion: By exploiting this vulnerability, an attacker could cause the server to consume excessive resources, resulting in out-of-memory errors or hindered performance. This can degrade the user experience and may necessitate costly remedial measures.

3. Operational Costs: Addressing the issues caused by this vulnerability, including re-engineering server settings, deploying patches, and possibly scaling up system resources to handle more traffic, can incur additional operational costs for the organization, diverting valuable resources from other projects.

News Articles

Cybersecuritynews

CVE-2026-23870CVE-2026-44578

Multiple Critical Vulnerabilities Patched in Next.js and React Server Components

Vercel has released an extensive set of security advisories for Next.js, addressing more than a dozen vulnerabilities, including denial-of-service, middleware bypass, server-side request forgery, and cross-site scripting.

3 days ago

References