CVE-2026-23870

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions react-server-dom-webpack versions 19.0.0 through 19.0.5 react-server-dom-webpack versions 19.1.0 through 19.1.6 react-server-dom-webpack versions 19.2.0 through 19.2.5 react-server-dom-parcel versions 19.0.0 through 19.0.5 react-server-dom-parcel versions 19.1.0 through 19.1.6 react-server-dom-parcel versions 19.2.0 through 19.2.5 react-server-dom-turbopack versions 19.0.0 through 19.0.5 react-server-dom-turbopack versions 19.1.0 through 19.1.6 react-server-dom-turbopack versions 19.2.0 through 19.2.5 Next.js versions prior to 15.5.16 Next.js versions prior to 16.2.5

Description A denial of service issue in React Server Components allows an attacker to disable a web application by exhausting server resources. This is triggered by sending specially crafted HTTP requests to server function endpoints, which can lead to server crashes, out-of-memory exceptions, or excessive CPU usage. Exploitation requires a specific architectural setup.

Recommendations Update react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack to versions 19.0.6, 19.1.7, or 19.2.6. Update Next.js to version 15.5.16 or 16.2.5.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2026-23870

Affected Products

React-Server-Dom-Parcel

React-Server-Dom-Turbopack

React-Server-Dom-Webpack

CVE-2026-23870

Related Identifiers

Affected Products

References · 18