PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23869 Meta CVE debrief

CVE-2026-23869 is a denial of service (DoS) vulnerability affecting React Server Components, specifically the packages react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints, causing excessive CPU usage for up to a minute and resulting in a thrown error. This issue has a CVSS score of 7.5 and is classified as HIGH severity. The CVE was published on April 8, 2026, and last modified on June 30, 2026.

Vendor
Meta
Product
react-server-dom-turbopack
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-08
Original CVE updated
2026-06-30
Advisory published
2026-04-08
Advisory updated
2026-06-30

Who should care

Organizations using React Server Components, specifically the affected packages and versions, should prioritize patching this vulnerability to prevent potential denial of service attacks. This vulnerability could be particularly concerning for applications relying on React Server Components for their server-side rendering, as it could lead to service disruptions. Security teams and developers responsible for maintaining and updating React-based applications should be aware of this issue and take appropriate action.

Technical summary

The CVE-2026-23869 vulnerability is a denial of service issue in React Server Components. It affects the packages react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack across multiple versions. The vulnerability is exploited through specially crafted HTTP requests to Server Function endpoints, leading to excessive CPU usage and a subsequent error. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 7.5, indicating a high severity level. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, reflecting the vulnerability's characteristics. The weaknesses associated with this CVE include CWE-400 (Uncontrolled Resource Consumption), CWE-502 (Deserialization of Untrusted Data), and CWE-770 (Allocation of Resources Without Limits or Throttling).

Defensive priority

High priority should be given to patching CVE-2026-23869 due to its high severity CVSS score of 7.5 and the potential for denial of service attacks. Immediate action is recommended for organizations using the affected versions of React Server Components.

Recommended defensive actions

  • Apply patches for react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack to versions outside the affected ranges (19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4).
  • Implement rate limiting on HTTP requests to Server Function endpoints to mitigate the impact of crafted requests.
  • Monitor server resources and application performance to detect potential exploitation attempts.
  • Review and update incident response plans to include procedures for handling denial of service attacks.
  • Conduct thorough inventory checks of systems and applications using React Server Components to identify all potentially affected assets.

Evidence notes

The CVE-2026-23869 vulnerability details were obtained from the National Vulnerability Database (NVD) and other official sources. The information provided is based on the data available up to June 30, 2026. The CVSS score and vector, as well as the CWE weaknesses, were directly sourced from the NVD entry for this CVE. Additional information was gathered from the React security advisory and Red Hat's security notice.

Official resources

This AI-assisted CVE debrief is based on the supplied source corpus and is intended for informational purposes only. It provides a summary of CVE-2026-23869, a denial of service vulnerability in React Server Components. The information is