High-Severity DoS Vulnerability in React Server Components Exposes Web Apps to Attacks
A critical vulnerability (CVE-2026-23869) has been identified in React Server Components, enabling unauthenticated remote attackers to launch Denial of Service (DoS) attacks by exhausting backend server resources. The flaw, rated High severity by GitHub’s Security Advisory, requires no user interaction or elevated privileges, making it a significant risk for production environments using affected packages.
The attack exploits weaknesses in how React Server Components process data at Server Function endpoints. Malicious HTTP requests trigger two vulnerabilities:
- Deserialization of untrusted data (CWE-502), allowing unsafe input processing.
- Uncontrolled resource consumption (CWE-400), forcing excessive CPU usage for up to a minute, degrading performance and blocking legitimate users.
The vulnerability affects React 19.0, 19.1, and 19.2 branches, specifically these npm packages:
react-server-dom-parcel(versions 19.0.0–19.0.4, 19.1.0–19.1.5, 19.2.0–19.2.4)react-server-dom-turbopack(same versions)react-server-dom-webpack(same versions)
Not all React apps are vulnerable only those using server-side rendering with affected packages. Client-side-only React applications or those without Server Component support remain unaffected.
The React team has released patches in versions 19.0.5, 19.1.6, and 19.2.5, urging developers to upgrade immediately to mitigate the flaw.
Source: https://cybersecuritynews.com/react-server-components-vulnerability-2/
React cybersecurity rating report: https://www.rankiteo.com/company/reactofficial
"id": "REA1775809531",
"linkid": "reactofficial",
"type": "Vulnerability",
"date": "4/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'customers_affected': 'Users of React 19.0, 19.1, and '
'19.2 with Server Components',
'industry': 'Technology',
'name': 'React (Meta)',
'type': 'Software Framework'}],
'attack_vector': 'Remote, unauthenticated HTTP requests',
'description': 'A critical vulnerability (CVE-2026-23869) has been identified '
'in React Server Components, enabling unauthenticated remote '
'attackers to launch Denial of Service (DoS) attacks by '
'exhausting backend server resources. The flaw exploits '
'weaknesses in how React Server Components process data at '
'Server Function endpoints, leading to deserialization of '
'untrusted data and uncontrolled resource consumption.',
'impact': {'operational_impact': 'Degraded performance, blocking legitimate '
'users',
'systems_affected': 'Backend servers using affected React Server '
'Components packages'},
'post_incident_analysis': {'corrective_actions': 'Patch released to address '
'vulnerabilities in affected '
'packages',
'root_causes': 'Deserialization of untrusted data '
'(CWE-502) and uncontrolled '
'resource consumption (CWE-400) in '
'React Server Components'},
'recommendations': 'Upgrade to patched versions (19.0.5, 19.1.6, 19.2.5) '
'immediately. Review server-side rendering configurations '
'for potential exposure.',
'references': [{'source': 'GitHub Security Advisory'}],
'response': {'communication_strategy': 'Public advisory by GitHub Security '
'Advisory and React team',
'containment_measures': 'Patch released (versions 19.0.5, '
'19.1.6, 19.2.5)',
'remediation_measures': 'Upgrade to patched versions (19.0.5, '
'19.1.6, 19.2.5)'},
'title': 'High-Severity DoS Vulnerability in React Server Components Exposes '
'Web Apps to Attacks',
'type': 'Denial of Service (DoS)',
'vulnerability_exploited': 'CVE-2026-23869 (Deserialization of untrusted data '
'- CWE-502, Uncontrolled resource consumption - '
'CWE-400)'}