React Server Components DoS

React Server Components were built to move part of a page’s work from the browser back to the server, so a React app can send smaller JavaScript files to your phone and do more assembly work in the data center. The server then streams the finished pieces back in a special format that React calls the Flight protocol. (react.dev) That streaming format is supposed to act like a packing slip for a shipment: it tells the browser which component, which data, and which server action belongs where. In this bug, researchers found that a malicious request could turn that packing slip into a server resource sink instead. (react.dev) (imperva.com) The newly disclosed issue is tracked as CVE-2026-23869, and the United States National Vulnerability Database lists it as a high-severity denial-of-service flaw with a Common Vulnerability Scoring System score of 7.5 out of 10. The official React advisory says the bug can be triggered by specially crafted Hypertext Transfer Protocol requests sent to Server Function endpoints. (nvd.nist.gov) (github.com) The dangerous part is that the attacker does not need to log in first. Imperva’s write-up says an unauthenticated attacker can send a payload that forces excessive computation during deserialization, which is the step where the server turns incoming bytes back into usable objects. (imperva.com) (github.com) Deserialization sounds abstract, but the everyday version is simple: it is the moment a mailroom worker opens a box and tries to rebuild what the label describes. If the label is crafted to create huge amounts of work, the worker burns time and the line behind them stops moving. (imperva.com) The React advisory names three affected packages: react-server-dom-webpack, react-server-dom-turbopack, and react-server-dom-parcel. The listed vulnerable ranges are 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4. (github.com) The fixes are already out, and the patched versions are 19.0.5, 19.1.6, and 19.2.5. If a team is using a framework that bundles these React Server Components libraries under the hood, the practical job is to check the lockfile and upgrade the transitive dependency, not just the top-level app code. (github.com) (netlify.com) This reaches beyond React itself because React Server Components are a core feature inside frameworks like Next.js. Netlify’s advisory says the flaw affects React Server Components used by Next.js and other React metaframeworks, which means many teams may be exposed without ever importing the low-level package directly. (netlify.com) The researchers also place this bug next to CVE-2026-23864, another recent Flight protocol issue, which suggests the attack surface is not a single coding mistake but a young protocol getting stress-tested in production. When frontend frameworks start inventing network protocols, parser bugs stop being a backend-only problem. (imperva.com) A proof-of-concept repository is already public on GitHub, which usually shortens the time between disclosure and opportunistic scanning. Once a working example exists, attackers do not need to discover the bug from scratch; they only need to adapt the request shape to exposed Server Function endpoints. (github.com 1) (github.com 2) For teams running React Server Components today, the immediate checklist is narrow and concrete: upgrade to a patched version, identify any public Server Function endpoints, and put rate limits or web application firewall rules in front of them while the rollout finishes. Fastly and Netlify both published customer guidance built around that exact containment approach. (fastly.com) (netlify.com)