Highzpa

#32718of 53,625
7.8Total CVSS
Vulnerabilities · 1
PT-2026-37660
7.8
2026-05-06
Npm · React-Server-Dom-Webpack · CVE-2026-23870
**Name of the Vulnerable Software and Affected Versions** react-server-dom-webpack versions 19.0.0 through 19.0.5 react-server-dom-webpack versions 19.1.0 through 19.1.6 react-server-dom-webpack versions 19.2.0 through 19.2.5 react-server-dom-parcel versions 19.0.0 through 19.0.5 react-server-dom-parcel versions 19.1.0 through 19.1.6 react-server-dom-parcel versions 19.2.0 through 19.2.5 react-server-dom-turbopack versions 19.0.0 through 19.0.5 react-server-dom-turbopack versions 19.1.0 through 19.1.6 react-server-dom-turbopack versions 19.2.0 through 19.2.5 Next.js versions prior to 15.5.16 Next.js versions prior to 16.2.5 **Description** A denial of service issue exists in React Server Components that allows an attacker to disable a web application by exhausting server resources. This is triggered by sending specially crafted HTTP requests to server function endpoints, which can lead to server crashes, out-of-memory exceptions, or excessive CPU usage. Exploitation requires a specific architectural setup. **Recommendations** Update react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack to versions 19.0.6, 19.1.7, or 19.2.6. Update Next.js to version 15.5.16 or 16.2.5.