Introduction
A series of incomplete patches for React Server Components has culminated in CVE-2026-23870, the latest in a chain of denial of service vulnerabilities affecting server function endpoints. For organizations running React 19.x with server side rendering through frameworks like Next.js or React Router, this vulnerability allows any unauthenticated network attacker to crash production servers or exhaust their resources with crafted HTTP requests.
Technical Information
CVE-2026-23870 targets the server function endpoint handling in three React Server Components packages: react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. These packages serve as the bundler integration layer for React Server Components, responsible for serializing and deserializing server function calls transmitted over HTTP.
The vulnerability is exploitable by sending specially crafted HTTP requests directly to server function endpoints. The CVSS 7.5 base score reflects the characteristics of this attack: it is network accessible, requires low complexity, demands no privileges, and needs no user interaction. The impact is confined entirely to availability, with no effect on confidentiality or integrity.
Successful exploitation leads to one or more of the following outcomes:
- Server crashes (process termination)
- Out of memory exceptions
- Excessive CPU usage
The resource exhaustion behavior suggests the crafted requests trigger pathological processing in the request deserialization or handling logic, though the advisory does not disclose the specific parsing flaw.
Context: A Pattern of Incomplete Fixes
This vulnerability is the fourth in a series of security issues affecting React Server Components since December 2025. Understanding the timeline is important for assessing the maturity of the current fix:
| Date | Advisory | Notes |
|---|---|---|
| December 11, 2025 | React Blog Post | Initial disclosure of DoS and source code exposure vulnerabilities |
| January 26, 2026 | CVE-2026-23864 | Additional DoS cases found after original fixes were deemed incomplete |
| May 2026 | CVE-2026-23869 | DoS affecting versions up to 19.0.4, 19.1.5, and 19.2.4; fixed in 19.0.5, 19.1.6, and 19.2.5 |
| May 2026 | CVE-2026-23870 | Current DoS vulnerability; the versions that fixed CVE-2026-23869 are themselves vulnerable |
The fact that CVE-2026-23870 affects the exact versions released to fix CVE-2026-23869 (namely 19.0.5, 19.1.6, and 19.2.5) confirms that the prior remediation was incomplete. This iterative pattern warrants careful attention: organizations that patched for CVE-2026-23869 and stopped monitoring are still exposed.
Scoping the Attack Surface
Not all React applications are vulnerable. The attack surface is limited to applications that:
- Run React code on a server (not purely client side applications)
- Use a framework, bundler, or bundler plugin that supports React Server Components
Applications that meet both criteria and resolve any of the three affected packages within the vulnerable version ranges are at risk. The exposure is amplified by the fact that major frameworks pull these packages as transitive dependencies. Frameworks and plugins known to depend on the affected packages include:
- Next.js
- React Router
- Waku
- @parcel/rsc
- @vitejs/plugin-rsc
- rwsdk
Teams should inspect their lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml) to determine whether vulnerable versions of react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack are resolved.
Affected Systems and Versions
The vulnerability spans three packages across three release lines:
| Package | Vulnerable Versions | Fixed Version |
|---|---|---|
| react-server-dom-webpack | 19.0.0 through 19.0.5, 19.1.0 through 19.1.6, 19.2.0 through 19.2.5 | 19.0.6, 19.1.7, or 19.2.6 |
| react-server-dom-parcel | 19.0.0 through 19.0.5, 19.1.0 through 19.1.6, 19.2.0 through 19.2.5 | 19.0.6, 19.1.7, or 19.2.6 |
| react-server-dom-turbopack | 19.0.0 through 19.0.5, 19.1.0 through 19.1.6, 19.2.0 through 19.2.5 | 19.0.6, 19.1.7, or 19.2.6 |
Notably, the stable release of React listed on Wikipedia as of April 8, 2026 was 19.2.5, which is explicitly within the vulnerable range. Organizations should target the following upgrades based on their current release line:
| Current Release Line | Target Version |
|---|---|
| 19.0.x | 19.0.6 |
| 19.1.x | 19.1.7 |
| 19.2.x | 19.2.6 |
There are no official workarounds. Upgrading is the only supported remediation.
Vendor Security History
The React team at Meta has been responsive in issuing backported fixes, but the React Server Components feature area has experienced a notable concentration of security issues in a short timeframe. Since December 2025, at least four distinct security advisories have been published for server function endpoints, including remote code execution, source code exposure, and multiple rounds of denial of service fixes. Each round of DoS patches has been followed by the discovery of additional attack vectors that the previous fix did not address. While this iterative approach is not uncommon in complex serialization code, it does mean that organizations should treat each new patch as potentially incomplete and maintain active monitoring for subsequent advisories.
References
- GitHub Security Advisory GHSA-rv78-f8rc-xrxh
- NVD Entry for CVE-2026-23870
- React Blog: Denial of Service and Source Code Exposure in React Server Components (December 2025)
- GitHub Security Advisory GHSA-479c-33wc-g2pg (CVE-2026-23869)
- React GitHub Repository
- GitHub Advisory Database
- React (software) on Wikipedia
