CVE-2026-23869
Essential information
- Published
- 08/04/2026 20:16
- Modified
- 08/04/2026 21:26
- Author
- —
- Creator
- —
- CVSS
- 7.5 HIGH (v3.1)
- CISA KEV
- No
- CWE
- —
- CVSS vector
-
—
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H—
CVSS metrics
- Access vector
- —
- Access complexity
- —
- Authentication
- —
- Confidentiality impact
- —
- Integrity impact
- —
- Availability impact
- —
- Exploitability
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- NETWORK
- Attack complexity
- LOW
- Privileges required
- NONE
- User interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality impact
- NONE
- Integrity impact
- NONE
- Availability impact
- HIGH
- Exploit code maturity
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- —
- Attack complexity
- —
- Attack requirements
- —
- Privileges required
- —
- User interaction
- —
- Confidentiality (V)
- —
- Confidentiality (S)
- —
- Integrity (V)
- —
- Integrity (S)
- —
- Availability (V)
- —
- Availability (S)
- —
- Exploit maturity
- —
Description
A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.
NVD status
- Status
- Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
- Source
- [email protected]
- NVD
- View on NVD
Affected products (CPE)
| Product | CPE |
|---|---|
| facebook / react-server-dom-parcel | cpe:2.3:a:facebook:react-server-dom-parcel:19.0.0-19.0.4:*:*:*:*:*:*:* |
| facebook / react-server-dom-parcel | cpe:2.3:a:facebook:react-server-dom-parcel:19.1.0-19.1.5:*:*:*:*:*:*:* |
| facebook / react-server-dom-parcel | cpe:2.3:a:facebook:react-server-dom-parcel:19.2.0-19.2.4:*:*:*:*:*:*:* |
| facebook / react-server-dom-turbopack | cpe:2.3:a:facebook:react-server-dom-turbopack:19.0.0-19.0.4:*:*:*:*:*:*:* |
| facebook / react-server-dom-turbopack | cpe:2.3:a:facebook:react-server-dom-turbopack:19.1.0-19.1.5:*:*:*:*:*:*:* |
| facebook / react-server-dom-turbopack | cpe:2.3:a:facebook:react-server-dom-turbopack:19.2.0-19.2.4:*:*:*:*:*:*:* |
| facebook / react-server-dom-webpack | cpe:2.3:a:facebook:react-server-dom-webpack:19.0.0-19.0.4:*:*:*:*:*:*:* |
| facebook / react-server-dom-webpack | cpe:2.3:a:facebook:react-server-dom-webpack:19.1.0-19.1.5:*:*:*:*:*:*:* |
| facebook / react-server-dom-webpack | cpe:2.3:a:facebook:react-server-dom-webpack:19.2.0-19.2.4:*:*:*:*:*:*:* |