CVE-2026-23870

Summary

A denial of service vulnerability could be triggered by sending specially crafted HTTP requests to server function endpoints, this could lead to server crashes, out-of-memory exceptions or excessive CPU usage; affecting the following packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (versions 19.0.0 through 19.0.5, 19.1.0 through 19.1.6, and 19.2.0 through 19.2.5).

Affected Software

VendorProductVersion RangeStatus
Metareact-server-dom-turbopack19.0.0 <= 19.0.5affected
Metareact-server-dom-turbopack19.1.0 <= 19.1.6affected
Metareact-server-dom-turbopack19.2.0 <= 19.2.5affected
Metareact-server-dom-parcel19.0.0 <= 19.0.5affected
Metareact-server-dom-parcel19.1.0 <= 19.1.6affected
Metareact-server-dom-parcel19.2.0 <= 19.2.5affected
Metareact-server-dom-webpack19.0.0 <= 19.0.5affected
Metareact-server-dom-webpack19.1.0 <= 19.1.6affected
Metareact-server-dom-webpack19.2.0 <= 19.2.5affected

Weaknesses

  • (CWE-502) Deserialization of Untrusted Data, (CWE-400) Uncontrolled Resource Consumption

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References