CVE-2026-23869: React Server Components have a Denial of Service Vulnerability
A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack versions 19.0.0, 19.1.0 and 19.2.0. The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.
The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.
We recommend updating immediately.
The vulnerability exists in versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4 of:
react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack
References
Code Behaviors & Features
Detect and mitigate CVE-2026-23869 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →