React Server Components vulnerability enables DoS attacks

A high-severity vulnerability in React Server Components can let remote attackers trigger denial-of-service conditions by sending specially crafted HTTP requests to Server Function endpoints. The issue is tracked as CVE-2026-23869 and affects three React server packages used in modern server-rendered app setups.

The bug does not require user interaction or prior access. GitHub’s advisory says the malicious request can drive excessive CPU usage for up to a minute before ending in a catchable error, which means servers may stay online but still become slow or temporarily unavailable to real users.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

This issue does not affect every React app. Projects that run React only on the client side are not vulnerable, and apps that do not use a framework, bundler, or bundler plugin with React Server Components support are also outside the exposed group.

How the attack works

The vulnerability sits in how React Server Components handle input sent to Server Function endpoints. According to the advisory, an attacker can send a crafted request that forces the server into heavy CPU work, which creates a practical denial-of-service window even though the process eventually throws an error instead of crashing outright.

GitHub’s advisory maps the issue to two common weakness types: deserialization of untrusted data and uncontrolled resource consumption. That combination matters because it gives attackers a cheap way to spend the server’s resources without needing authentication.

The practical impact depends on how an application uses Server Components and Server Functions in production. In exposed deployments, repeated malicious requests could keep backend resources busy long enough to degrade performance, slow responses, or deny service to legitimate traffic. This final point is an inference based on the advisory’s confirmed CPU exhaustion behavior.

Which packages and versions are affected

The advisory names three affected npm packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. All three share the same affected version ranges.

Affected branches include versions >=19.0.0 <19.0.5, >=19.1.0 <19.1.6, and >=19.2.0 <19.2.5. That means the vulnerable sets are 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4.

The fixes have already landed. React maintainers backported patches to versions 19.0.5, 19.1.6, and 19.2.5, and the advisory recommends upgrading immediately if any of the affected packages appear in production dependencies.

React server components DoS bug at a glance

What developers should do now

• Audit dependencies for react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack.
• Upgrade to 19.0.5, 19.1.6, or 19.2.5, depending on your current branch.
• Check whether your framework or bundler enables React Server Components and Server Functions in production routes.
• Review rate-limiting and request filtering around server endpoints that process React Server Components traffic. This is a sensible defensive step based on the attack path described in the advisory.
• Prioritize internet-facing deployments first, since the attack works over the network without authentication.

FAQ