CVE-2026-23870: High-Severity DoS Flaw in React Server Components

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitydenial-of-service
CVE-2026-23870: High-Severity DoS Flaw in React Server Components

The National Vulnerability Database has disclosed CVE-2026-23870, a critical denial-of-service vulnerability impacting specific versions of React Server Components. Attackers can trigger server crashes, out-of-memory errors, or excessive CPU utilization by sending specially crafted HTTP requests to server function endpoints. This affects packages including react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack across several version ranges: 19.0.0-19.0.5, 19.1.0-19.1.6, and 19.2.0-19.2.5.

This vulnerability carries a CVSS score of 7.5 (HIGH), indicating a significant risk. The lack of authentication or user interaction required to exploit it (AV:N/AC:L/PR:N/UI:N) means any unauthenticated attacker on the network can potentially disrupt services. For defenders, this translates to a direct threat against application availability, potentially leading to significant downtime and operational impact if exploited.

Organizations relying on these affected React Server Component versions must prioritize patching. The National Vulnerability Database advises updating to a secure version. Proactive monitoring for unusual HTTP request patterns targeting server function endpoints is also recommended to detect potential exploitation attempts.

What This Means For You

  • If your organization utilizes React Server Components, specifically versions 19.0.0 through 19.2.5, you must immediately review and update these packages to mitigate CVE-2026-23870. Failure to patch leaves your applications vulnerable to denial-of-service attacks that can cripple services.

Indicators of Compromise

IDTypeIndicator
CVE-2026-23870 DoS react-server-dom-webpack versions 19.0.0-19.0.5, 19.1.0-19.1.6, 19.2.0-19.2.5
CVE-2026-23870 DoS react-server-dom-parcel versions 19.0.0-19.0.5, 19.1.0-19.1.6, 19.2.0-19.2.5
CVE-2026-23870 DoS react-server-dom-turbopack versions 19.0.0-19.0.5, 19.1.0-19.1.6, 19.2.0-19.2.5
CVE-2026-23870 DoS Specially crafted HTTP requests to server function endpoints

Written by SCW Vulnerability Desk

🔎
Check React Server Component Vulnerabilities Use /org reactjs.org to check for related advisories.
Open Intel Bot →
Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 06, 2026 at 20:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

NanoClaw Container Vulnerability Allows Arbitrary File Access, Recursive Deletion

CVE-2026-7875 — NanoClaw contains a host/container filesystem boundary vulnerability in outbound attachment handling and outbox cleanup that allows a compromised or prompt-injected container to read...

vulnerabilityCVEhigh-severityarbitrary-file-accesscwe-22
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 5 IOCs

CVE-2026-42503: gopls Vulnerability Exposes Dev Environments to RCE

CVE-2026-42503 — gopls by default communicates via pipe. However, -port and -listen flags are supported as means of debugging. If -listen is given a value...

vulnerabilityCVEhigh-severitycwe-1327
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 3 IOCs

CVE-2026-20219 — The REST API Of Cisco Slido Vulnerability

CVE-2026-20219 — A vulnerability in the REST API of Cisco Slido could have allowed an authenticated, remote attacker to access the social profile data of...

vulnerabilityCVEmedium-severitycwe-639
/SCW Vulnerability Desk /MEDIUM /5.4 /⚑ 2 IOCs /⚙ 3 Sigma