React Server Components DoS Flaw

React Server Components are the part of React that let a browser ask the server to build pieces of a page before sending them back, instead of doing all the work in the browser. That design can speed up page loads, but it also means ordinary page rendering now sits directly in the server’s request pipeline. (react.dev) The newly disclosed problem is a denial of service bug, which means an attacker can make a server spend so much time or memory on bad requests that real users get slow pages or no pages at all. GitHub’s advisory says the bug can be triggered by specially crafted Hypertext Transfer Protocol requests sent to Server Function endpoints. (github.com) The dangerous part is cost. The attacker does not need an account, and the advisory says the requests can come from an unauthenticated actor, so a cheap burst of traffic can force the server to do expensive work. (github.com) The affected packages are the three React Server Components transport layers named react-server-dom-webpack, react-server-dom-turbopack, and react-server-dom-parcel. GitHub lists vulnerable releases across the 19.0.x, 19.1.x, and 19.2.x lines, with fixes in 19.0.5, 19.1.6, and 19.2.5. (github.com) This did not appear out of nowhere. In December 2025, the React team disclosed an earlier critical React Server Components bug nicknamed React2Shell that allowed remote code execution, and researchers found more weaknesses while testing those patches. (react.dev 1) (react.dev 2) That history matters because the December 11, 2025 advisory said the first fix was incomplete in at least one denial of service case. GitHub then published another denial of service advisory on April 8, 2026 for a broader set of affected versions, which shows this part of the stack has needed repeated hardening. (github.com 1) (github.com 2) If you use Next.js, this can land indirectly because Next.js is one of the biggest frameworks built on top of React Server Components. Next.js said in its December 11, 2025 security update that there was no workaround for the earlier React Server Components issues and that upgrading to patched versions was required. (nextjs.org) The practical fix starts with patching the React packages, because rate limits do not remove the bug itself. After that, researchers and security writeups point to standard pressure valves: rate limiting, strict request validation, careful caching rules, and monitoring for spikes in central processing unit use, memory use, and request volume. (github.com) (cybersecuritynews.com) (gbhackers.com) The bigger lesson is that moving rendering to the server changes what a web request can do. A page view used to be mostly a fetch for files, but in a React Server Components app it can become a trigger for server-side computation, which gives attackers more ways to turn tiny requests into expensive work. (react.dev)