Back to Blog

Brief Summary: React Server Components DoS via Crafted Deserialization in CVE-2026-23869

A short review of CVE-2026-23869, a high severity denial of service vulnerability in React Server Components caused by unsafe deserialization of HTTP request payloads. Patch information and affected version details are included.

CVE Analysis

7 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-04-08

Brief Summary: React Server Components DoS via Crafted Deserialization in CVE-2026-23869
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An incomplete fix for a prior denial of service vulnerability in React Server Components has left applications exposed to a new attack that can pin server CPUs for up to a minute per malicious request. CVE-2026-23869, disclosed on April 8, 2026, affects the deserialization logic in three React Server Components DOM packages and carries a CVSS 3.1 score of 7.5, reflecting its unauthenticated, low complexity, network exploitable nature.

What makes this particularly notable is the context: organizations that diligently patched for the earlier CVE-2026-23864 (upgrading to versions 19.0.4, 19.1.5, and 19.2.4) remained vulnerable. The prior fix was incomplete, and this new CVE represents the follow-up correction.

Technical Information

Root Cause

The vulnerability lies in how React Server Components deserialize HTTP request payloads sent to Server Function endpoints. The three affected packages, react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack, all share this deserialization path. When a specially crafted payload reaches a Server Function endpoint, the deserialization logic enters a state of excessive CPU consumption that can persist for approximately 60 seconds before terminating with a thrown error.

The vulnerability maps to two CWE identifiers:

  • CWE-400 (Uncontrolled Resource Consumption): The server does not properly control CPU resource allocation when processing the malicious payload, allowing a single request to monopolize processing time.
  • CWE-502 (Deserialization of Untrusted Data): The server deserializes untrusted data from the HTTP request without sufficiently validating that the resulting data structure is safe to process, enabling the resource exhaustion condition.

CVSS Breakdown

The CVSS 3.1 vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Breaking this down:

  • Attack Vector: Network. The vulnerability is exploitable remotely over HTTP.
  • Attack Complexity: Low. No special conditions or race conditions are required.
  • Privileges Required: None. An unauthenticated attacker can trigger the vulnerability.
  • User Interaction: None. No victim action is needed.
  • Impact: Availability is rated High. Confidentiality and Integrity are not affected.

Attack Flow

  1. The attacker identifies a Server Function endpoint exposed by a React application using one of the affected packages.
  2. The attacker sends a specially crafted HTTP request to that endpoint.
  3. The server processes the request and enters the vulnerable deserialization path.
  4. CPU consumption spikes and remains elevated for up to one minute.
  5. The processing eventually terminates with a thrown error (which is catchable by the application).
  6. During the processing window, the server thread is effectively consumed, degrading performance for legitimate users.
  7. Repeated requests can amplify the impact, potentially rendering the service unavailable.

Relationship to CVE-2026-23864

This is a critical detail for teams tracking their patch status. The previous round of fixes released as versions 19.0.4, 19.1.5, and 19.2.4 addressed CVE-2026-23864 but were found to be incomplete. Applications that had already upgraded to those versions remained vulnerable to CVE-2026-23869. The new patched versions (19.0.5, 19.1.6, 19.2.5) are exactly one bump beyond the earlier fixes, confirming this is a distinct, follow-up correction rather than a re-announcement.

Patch Information

The Facebook/React team published GHSA-479c-33wc-g2pg on April 8, 2026 to disclose this vulnerability and its fix. The patch was backported across all three active React release lines for the following npm packages:

  • react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack
Release LineVulnerable RangePatched Version
19.0.x19.0.0 through 19.0.419.0.5
19.1.x19.1.0 through 19.1.519.1.6
19.2.x19.2.0 through 19.2.419.2.5

For downstream consumers, Vercel confirmed that Next.js has been patched in versions 15.5.15 and 16.2.3 (for the 15.x and 16.x branches respectively). Vercel also deployed WAF rules across their platform to provide automatic protection for hosted projects, but explicitly cautioned that the WAF should not be relied upon as a substitute for upgrading the underlying packages.

If your application does not use React Server Components (your React code does not run on a server, or your framework/bundler does not support RSC), your application is not affected and no action is required.

Additional Mitigation Measures

Beyond patching, organizations should consider implementing:

  • Rate limiting on Server Function endpoints to constrain the number of requests an unauthenticated user can issue.
  • Request throttling to limit the CPU resources any single request can consume.
  • HMAC signing or similar integrity checks on serialized payloads to ensure data has not been tampered with.
  • Input validation that populates new objects rather than directly deserializing untrusted data.
  • Allowlisting of acceptable classes during deserialization to prevent unexpected types from being processed.

Affected Systems and Versions

The vulnerability affects the following packages and version ranges:

react-server-dom-parcel

  • Versions 19.0.0 through 19.0.4
  • Versions 19.1.0 through 19.1.5
  • Versions 19.2.0 through 19.2.4

react-server-dom-turbopack

  • Versions 19.0.0 through 19.0.4
  • Versions 19.1.0 through 19.1.5
  • Versions 19.2.0 through 19.2.4

react-server-dom-webpack

  • Versions 19.0.0 through 19.0.4
  • Versions 19.1.0 through 19.1.5
  • Versions 19.2.0 through 19.2.4

Applications are only affected if they use a server and a framework or bundler plugin that supports React Server Components. Client only React applications are not vulnerable.

Vendor Security History

The React team has addressed multiple security vulnerabilities in the Server Components protocol in recent months. On December 11, 2025, the team disclosed:

  • CVE-2025-55184 and CVE-2025-67779: Denial of service issues in React Server Components.
  • CVE-2025-55183: A source code exposure issue in React Server Components.

Those earlier vulnerabilities required coordinated downstream updates from major frameworks like Next.js, which had to issue specific version bumps across multiple release lines. The pattern continues with CVE-2026-23869, where the fix was backported to three separate minor version lines and downstream frameworks issued their own patches.

The fact that CVE-2026-23869 exists as a bypass of the fix for CVE-2026-23864 underscores the complexity of securing the deserialization path in the Server Components protocol. This is the second time in a short window that the same functional area has required patching.

References

Follow ZeroPath
ZeroPath on XZeroPath on LinkedIn

Related Articles

Brief Summary: libssh CVE-2025-14821 Insecure Default Configuration Enables Local Man in the Middle Attacks on Windows
CVE Analysis

2026-04-07

5 min read

Brief Summary: libssh CVE-2025-14821 Insecure Default Configuration Enables Local Man in the Middle Attacks on Windows

A short review of CVE-2025-14821, a high severity flaw in libssh where an insecure default configuration on Windows allows unprivileged local users to hijack SSH connections by planting malicious configuration files in the C:\etc directory.

ZeroPath CVE Analysis

ZeroPath CVE Analysis

Brief Summary: CVE-2026-22679 — Unauthenticated RCE in Weaver E-cology 10 via Exposed Debug Endpoint
CVE Analysis

2026-04-07

6 min read

Brief Summary: CVE-2026-22679 — Unauthenticated RCE in Weaver E-cology 10 via Exposed Debug Endpoint

A short review of CVE-2026-22679, a critical unauthenticated remote code execution vulnerability in Weaver E-cology 10.0 that exposes a debugging endpoint without authentication, allowing arbitrary command execution on the underlying server.

ZeroPath CVE Analysis

ZeroPath CVE Analysis

Brief Summary: CVE-2026-23696 — Windmill SQL Injection Enables Full Privilege Escalation and Remote Code Execution
CVE Analysis

2026-04-07

8 min read

Brief Summary: CVE-2026-23696 — Windmill SQL Injection Enables Full Privilege Escalation and Remote Code Execution

A short review of CVE-2026-23696, a critical SQL injection in Windmill's folder ownership management that allows any authenticated user to escalate to super admin and achieve root remote code execution.

ZeroPath CVE Analysis

ZeroPath CVE Analysis

Detect & fix
what others miss

Book a Demo
Security magnifying glass visualization