React Server Components DoS found

A React page can now be knocked over without a login if it exposes the wrong server endpoint. GitHub published a new advisory on April 8, 2026 saying specially crafted Hypertext Transfer Protocol requests can trigger denial of service in React Server Components packages. (github.com) React Server Components are the part of React that lets a server build pieces of a page before the browser sees them. The goal is to send less JavaScript to the user’s device by doing more work on the server first. (react.dev) That design also creates a new choke point. If an attacker can make the server do expensive work over and over, the app can slow down, run out of memory, or crash before any page reaches a real user. (vercel.com) The newly disclosed bug hits the packages named react-server-dom-webpack, react-server-dom-turbopack, and react-server-dom-parcel. GitHub lists patched versions as 19.0.5, 19.1.6, and 19.2.5. (github.com) The weak spot is a Server Function endpoint, which is the address a browser calls when it asks the server to run a piece of code for a form submit or button click. GitHub says the attack works by sending specially crafted requests to those endpoints. (github.com) Imperva, the security firm that disclosed the issue, gave the bug the nickname “React2DoS.” Its writeup says an unauthenticated remote attacker can exhaust server resources through the React Flight protocol, which is the data format React uses to stream server-built components to the browser. (imperva.com) This is not the first time this part of React has had trouble. React’s own security blog said on December 11, 2025, and updated on January 26, 2026, that researchers found additional React Server Components bugs while trying to exploit fixes for an earlier flaw. (react.dev) That earlier flaw is tracked as CVE-2026-23864 in the National Vulnerability Database. The entry says multiple denial of service vulnerabilities remained in React Server Components after incomplete fixes. (nvd.nist.gov) The pattern here is simple: modern web frameworks moved work from the browser back to the server to make apps feel faster. That shift means availability bugs now sit in the same path as normal page rendering, so a malformed request can become a traffic jam instead of just a bad response. (react.dev) (vercel.com) For teams running React 19 with Server Components turned on, the immediate fix is version hygiene. GitHub’s advisory says to upgrade the affected packages to 19.0.5, 19.1.6, or 19.2.5, because the vulnerable ranges include 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4. (github.com) Even after patching, the old lesson still applies. If a public endpoint can force expensive work, rate limits, request size checks, and isolation between frontend traffic and backend workers are what keep one bad request from becoming thousands. (vercel.com)