{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23869", "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "state": "PUBLISHED", "assignerShortName": "Meta", "dateReserved": "2026-01-16T19:49:26.309Z", "datePublished": "2026-04-08T19:11:08.418Z", "dateUpdated": "2026-04-08T19:56:22.791Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "react-server-dom-turbopack", "vendor": "Meta", "versions": [{"lessThanOrEqual": "19.0.4", "status": "affected", "version": "19.0.0", "versionType": "semver"}, {"lessThanOrEqual": "19.1.5", "status": "affected", "version": "19.1.0", "versionType": "semver"}, {"lessThanOrEqual": "19.2.4", "status": "affected", "version": "19.2.0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "react-server-dom-parcel", "vendor": "Meta", "versions": [{"lessThanOrEqual": "19.0.4", "status": "affected", "version": "19.0.0", "versionType": "semver"}, {"lessThanOrEqual": "19.1.5", "status": "affected", "version": "19.1.0", "versionType": "semver"}, {"lessThanOrEqual": "19.2.4", "status": "affected", "version": "19.2.0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "react-server-dom-webpack", "vendor": "Meta", "versions": [{"lessThanOrEqual": "19.0.4", "status": "affected", "version": "19.0.0", "versionType": "semver"}, {"lessThanOrEqual": "19.1.5", "status": "affected", "version": "19.1.0", "versionType": "semver"}, {"lessThanOrEqual": "19.2.4", "status": "affected", "version": "19.2.0", "versionType": "semver"}]}], "dateAssigned": "2026-04-08T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable."}], "problemTypes": [{"descriptions": [{"description": "(CWE-502) Deserialization of Untrusted Data, (CWE-400) Uncontrolled Resource Consumption", "lang": "en"}]}], "providerMetadata": {"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "shortName": "Meta", "dateUpdated": "2026-04-08T19:11:08.418Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-502", "lang": "en", "description": "CWE-502 Deserialization of Untrusted Data"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-400", "lang": "en", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T19:55:33.314236Z", "id": "CVE-2026-23869", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T19:56:22.791Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23869", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T19:55:33.314236Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T19:53:45.958Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Meta", "product": "react-server-dom-turbopack", "versions": [{"status": "affected", "version": "19.0.0", "versionType": "semver", "lessThanOrEqual": "19.0.4"}, {"status": "affected", "version": "19.1.0", "versionType": "semver", "lessThanOrEqual": "19.1.5"}, {"status": "affected", "version": "19.2.0", "versionType": "semver", "lessThanOrEqual": "19.2.4"}], "defaultStatus": "unaffected"}, {"vendor": "Meta", "product": "react-server-dom-parcel", "versions": [{"status": "affected", "version": "19.0.0", "versionType": "semver", "lessThanOrEqual": "19.0.4"}, {"status": "affected", "version": "19.1.0", "versionType": "semver", "lessThanOrEqual": "19.1.5"}, {"status": "affected", "version": "19.2.0", "versionType": "semver", "lessThanOrEqual": "19.2.4"}], "defaultStatus": "unaffected"}, {"vendor": "Meta", "product": "react-server-dom-webpack", "versions": [{"status": "affected", "version": "19.0.0", "versionType": "semver", "lessThanOrEqual": "19.0.4"}, {"status": "affected", "version": "19.1.0", "versionType": "semver", "lessThanOrEqual": "19.1.5"}, {"status": "affected", "version": "19.2.0", "versionType": "semver", "lessThanOrEqual": "19.2.4"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg", "tags": ["x_refsource_CONFIRM"]}], "dateAssigned": "2026-04-08T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "(CWE-502) Deserialization of Untrusted Data, (CWE-400) Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "shortName": "Meta", "dateUpdated": "2026-04-08T19:11:08.418Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23869", "state": "PUBLISHED", "dateUpdated": "2026-04-08T19:56:22.791Z", "dateReserved": "2026-01-16T19:49:26.309Z", "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "datePublished": "2026-04-08T19:11:08.418Z", "assignerShortName": "Meta"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable."}], "id": "CVE-2026-23869", "lastModified": "2026-04-08T21:26:13.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "cve-assign@fb.com", "type": "Secondary"}]}, "published": "2026-04-08T20:16:23.003", "references": [{"source": "cve-assign@fb.com", "url": "https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg"}], "sourceIdentifier": "cve-assign@fb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-502"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[19.0.0,19.0.4]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[19.1.0,19.1.5]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[19.2.0,19.2.4]"}}], "enrichment": {"confidence": 83.0, "confidence_source": "matching", "scores": [{"score": 83.0, "source": "matching"}]}, "original": {"product": "react-server-dom-parcel", "source": "cna", "vendor": "Meta"}, "product": "react-server-dom-parcel", "vendor": "facebook"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[19.0.0,19.0.4]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[19.1.0,19.1.5]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[19.2.0,19.2.4]"}}], "enrichment": {"confidence": 85.0, "confidence_source": "matching", "scores": [{"score": 85.0, "source": "matching"}]}, "original": {"product": "react-server-dom-turbopack", "source": "cna", "vendor": "Meta"}, "product": "react-server-dom-turbopack", "vendor": "facebook"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[19.0.0,19.0.4]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[19.1.0,19.1.5]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[19.2.0,19.2.4]"}}], "enrichment": {"confidence": 84.0, "confidence_source": "matching", "scores": [{"score": 84.0, "source": "matching"}]}, "original": {"product": "react-server-dom-webpack", "source": "cna", "vendor": "Meta"}, "product": "react-server-dom-webpack", "vendor": "facebook"}], "analysis": {"en": {"generated_at": "2026-04-08T21:53:07.548556+00:00", "value": {"mitigation_remediation": ["Update to the latest non\u2011vulnerable versions of react\u2011server\u2011dom\u2011parcel, react\u2011server\u2011dom\u2011turbopack, and react\u2011server\u2011dom\u2011webpack.", "Implement rate limiting or input validation on Server Function requests to constrain resource consumption.", "Monitor CPU usage and request latency in production to detect abnormal patterns early.", "Use network\u2011level defenses such as a WAF or DDoS protection to mitigate excessive request traffic."], "summary": {"action": "Patch", "impact": "Denial of Service via CPU exhaustion"}, "threat_synthesis": {"affected_systems": "Meta\u2019s React Server Components libraries react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack are vulnerable in versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4. Any application that utilizes either of these libraries for server-side rendering or handling Server Function requests is at risk if deployed in production.", "description_and_impact": "The vulnerability occurs when specially crafted HTTP requests targeting Server Function endpoints in React Server Components trigger an extended period of high CPU usage, lasting up to a minute, before an error is thrown that can be caught by application code. This consumption of processor time can degrade performance, causing legitimate requests to timeout or be delayed, effectively denying service.", "risk_and_exploitability": "The CVSS score of 7.5 classifies the flaw as high severity. Although no EPSS score is available, the vulnerability can be exploited by an attacker who is able to send crafted requests to an exposed Server Function endpoint. This attack vector is inferred from the description: the payload is delivered via HTTP, and authentication requirements are not specified, so it is reasonable to consider that unauthenticated access may suffice. The flaw is not listed in the CISA KEV catalog. Repeated exploitation leads to sustained CPU exhaustion, resulting in service disruption."}}}}, "created": "2026-04-09T08:18:22.062174+00:00", "title": "CPU\u2011Exhaustion Denial of Service in React Server Components", "updated": "2026-04-09T08:27:44.524981+00:00", "vendors": ["facebook", "facebook$PRODUCT$react-server-dom-parcel", "facebook$PRODUCT$react-server-dom-turbopack", "facebook$PRODUCT$react-server-dom-webpack"]}