CVE-2026-23869
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.
| Vendor | meta |
| Product | react-server-dom-turbopack |
| Published | Apr 8, 2026 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for meta react-server-dom-turbopack
Be the first to know when new high vulnerabilities affecting meta react-server-dom-turbopack are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
Meta / react-server-dom-turbopack
19.0.0 ≤ 19.0.4 19.1.0 ≤ 19.1.5 19.2.0 ≤ 19.2.4
Meta / react-server-dom-parcel
19.0.0 ≤ 19.0.4 19.1.0 ≤ 19.1.5 19.2.0 ≤ 19.2.4
Meta / react-server-dom-webpack
19.0.0 ≤ 19.0.4 19.1.0 ≤ 19.1.5 19.2.0 ≤ 19.2.4