Security Vulnerability Report
中文
CVE-2026-23869 CVSS 7.5 HIGH

CVE-2026-23869

Published: 2026-04-08 20:16:23
Last Modified: 2026-04-08 21:26:13
Source: [email protected]

Description

A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

react-server-dom-parcel 19.0.0 - 19.0.4
react-server-dom-parcel 19.1.0 - 19.1.5
react-server-dom-parcel 19.2.0 - 19.2.4
react-server-dom-turbopack 19.0.0 - 19.0.4
react-server-dom-turbopack 19.1.0 - 19.1.5
react-server-dom-turbopack 19.2.0 - 19.2.4
react-server-dom-webpack 19.0.0 - 19.0.4
react-server-dom-webpack 19.1.0 - 19.1.5
react-server-dom-webpack 19.2.0 - 19.2.4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Target URL of the vulnerable Server Function endpoint target_url = "http://vulnerable-host/_server_action" # The specific payload structure depends on the internal parsing logic of RSC. # This is a conceptual example of sending a request that triggers the DoS. malicious_payload = { # Placeholder for the crafted data that causes CPU exhaustion. # Real-world exploitation requires specific data patterns known in the advisory. "_args": [["...crafted_payload..."]] } try: print("Sending malicious request to trigger DoS...") response = requests.post(target_url, json=malicious_payload) print(f"Response Status: {response.status_code}") except Exception as e: print(f"An error occurred: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-23869", "sourceIdentifier": "[email protected]", "published": "2026-04-08T20:16:23.003", "lastModified": "2026-04-08T21:26:13.410", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-502"}]}], "references": [{"url": "https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.