High

Denial of Service in React Server Components Server Function Endpoints

IdentifiersCVE-2026-23870CWE-400

CVE-2026-23870 is a high-severity denial-of-service vulnerability in React Server Components affecting the packages react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. The issue is triggered when a specially crafted HTTP request is sent to a server function endpoint and processed by the server-side React Server Components request handling and deserialization logic. The affected packages are the bundler integration layers used to serialize and deserialize server function calls over HTTP. Available reporting indicates the flaw is associated with inadequate structural or type constraints during inbound payload deserialization, allowing pathological processing that can drive excessive CPU consumption and, in some cases, server crashes or out-of-memory conditions. Affected versions are 19.0.0 through 19.0.5, 19.1.0 through 19.1.6, and 19.2.0 through 19.2.5.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

A remote unauthenticated attacker can cause denial of service against vulnerable server-side React deployments by sending crafted requests to exposed server function endpoints. Observed outcomes include excessive CPU usage, process crashes, and out-of-memory exceptions, which can render the application unavailable. The reported impact is limited to availability; no specific confidentiality or integrity impact is stated in the provided material.

Mitigation

If you can’t patch tonight, do this now.

No official workaround is available in the provided material. Temporary risk reduction is limited to minimizing exposure of server function endpoints, restricting network access to those endpoints where feasible, and reducing public reachability until patched versions can be deployed. Purely client-side React applications that do not use server-side React Server Components are not within the described attack surface.

Remediation

Patch, then assume compromise.

Upgrade the affected React Server Components packages to the fixed releases on the appropriate branch: 19.0.6, 19.1.7, or 19.2.6 for react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Because these packages are often introduced transitively by frameworks and bundlers, inspect dependency lockfiles such as package-lock.json, yarn.lock, or pnpm-lock.yaml to confirm resolved versions. For affected Next.js environments, apply the corresponding vendor-patched Next.js release as advised by the framework maintainer.

PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 2 candidates as fakes, detection scripts, or README-only repos.

VALID 0 / 2 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Meta PlatformsReact-Server-Dom-Parcelapplication

Meta PlatformsReact-Server-Dom-Turbopackapplication

Meta PlatformsReact-Server-Dom-Webpackapplication

VercelNextapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

16 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

16 SOURCESView more in app

cyber security newsNews

May 8, 2026

Multiple Critical Vulnerabilities Patched in Next.js and React Server Components

A high-severity denial-of-service vulnerability in React Server Components / Next.js App Router caused by unsafe deserialization in the React Flight protocol, allowing crafted requests to trigger excessive CPU usage.

vercel blogNews

May 7, 2026

Next.js May 2026 security release - Vercel

A denial-of-service vulnerability in React Server Components affecting react-server-dom-* packages and impacting Next.js applications that use Server Functions, Partial Prerendering with Cache Components, or the Image Optimization API.

zeropath blogNews

May 6, 2026

Brief Summary: CVE-2026-23870 Denial of Service in React Server Components via Crafted HTTP Requests - ZeroPath Blog | ZeroPath

A denial of service vulnerability in React Server Components server function endpoint handling that allows unauthenticated remote attackers to crash servers or exhaust CPU/memory via crafted HTTP requests.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity13