CVE-2026-23869

Name of the Vulnerable Software and Affected Versions: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4.

Description: A denial of service vulnerability exists in React Server Components. The issue is triggered by sending specially crafted HTTP requests to Server Function endpoints. The payload of the HTTP request causes excessive CPU usage for up to a minute, resulting in a catchable error. This can lead to a denial of service.

Recommendations: Upgrade to versions 19.0.5, 19.1.6, or 19.2.5.