CVE-2026-23869

Source
https://cve.org/CVERecord?id=CVE-2026-23869
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23869.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-23869
Aliases
Published
2026-04-08T20:16:23.003Z
Modified
2026-07-16T03:48:25.796651706Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.

References

Affected packages

Git / github.com/react/react

Affected ranges

Type
GIT
Repo
https://github.com/react/react
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "19.0.0"
        },
        {
            "fixed": "19.0.4"
        },
        {
            "introduced": "19.1.0"
        },
        {
            "fixed": "19.1.5"
        },
        {
            "introduced": "19.2.0"
        },
        {
            "fixed": "19.2.4"
        }
    ],
    "source": "DESCRIPTION"
}

Affected versions

v19.*
v19.0.0
v19.0.1
v19.0.2
v19.0.3
v19.1.0
v19.1.1
v19.1.2
v19.1.3
v19.1.4
v19.2.0
v19.2.1
v19.2.2
v19.2.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23869.json"