React Server Components Flaw Enables DoS Attack Vulnerability Attacks

A high-severity vulnerability has been discovered within React Server Components. This flaw exposes modern web applications to Denial of Service (DoS) attacks.

Tracked as CVE-2026-23869, this flaw allows unauthenticated remote attackers to exhaust backend server resources through specially crafted network requests.

The GitHub Security Advisory rates this vulnerability as High severity. Because the attack requires low complexity, no user interaction, and no elevated privileges

It poses an immediate risk to production environments utilizing vulnerable React server packages.

Mechanism of the Attack

The vulnerability targets the way React Server Components process incoming data at Server Function endpoints.

An attacker can exploit this vector by sending a maliciously crafted HTTP request directly over the network to these specific endpoints.

When the server receives this payload, it triggers two distinct security weaknesses:

• Deserialization of untrusted data (CWE-502) allows the system to process potentially dangerous input without proper validation.
• Uncontrolled resource consumption (CWE-400) occurs as the server attempts to handle the complex or malformed payload.

This combination forces the server into excessive CPU usage for up to an entire minute.

While the event ultimately ends in a catchable error rather than a hard crash, the prolonged CPU spike effectively degrades application performance and blocks access for legitimate users.

The vulnerability resides in the core packages responsible for handling server-side rendering and component routing. The flaw impacts the 19.0, 19.1, and 19.2 release branches.

The following npm packages contain the vulnerability:

• react-server-dom-parcel (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4).
• react-server-dom-turbopack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4).
• react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4).

Not all React applications are exposed to this threat. The architecture of your specific project dictates your exposure to the vulnerability.

Your application is completely safe if your React code operates exclusively on the client side without a server component.

Furthermore, if your application does not use a framework, bundler, or plugin that explicitly supports React Server Components, your infrastructure is not affected.

The React maintenance team has successfully backported security fixes to address the resource exhaustion flaw.

Development teams on GitHub are urged to audit dependencies and upgrade immediately to restore security. To mitigate the vulnerability, update your affected packages to the following secure versions: 19.0.5, 19.1.6, 19.2.5.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.