2456663 – (CVE-2026-23869) CVE-2026-23869 react-server-dom-parcel: react-server-dom-turbopack: react-server-dom-webpack: denial of service via specially crafted HTTP requests to Server Function endpoints

Bug 2456663 (CVE-2026-23869) - CVE-2026-23869 react-server-dom-parcel: react-server-dom-turbopack: react-server-dom-webpack: denial of service via specially crafted HTTP requests to Server Function endpoints

Summary: CVE-2026-23869 react-server-dom-parcel: react-server-dom-turbopack: react-ser...

Keywords:
Status:	NEW
Alias:	CVE-2026-23869
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-08 20:01 UTC by OSIDB Bzimport
Modified:	2026-04-10 19:19 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-08 20:01:25 UTC

A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.

Note You need to log in before you can comment on or make changes to this bug.