Denial of Service Alert: React Server Components Vulnerability Causes CPU Spikes

React, the popular JavaScript library used by millions of developers for building user interfaces, has issued an urgent advisory regarding a denial of service (DoS) vulnerability. The flaw specifically impacts React Server Components, a modern feature that allows developers to render components on the server to improve performance and user experience.

The vulnerability, tracked as CVE-2026-23869 with a CVSS score of 7.5, is triggered by sending specially crafted HTTP requests to Server Function endpoints.

When these malicious requests are processed, the payload causes “excessive CPU usage for up to a minute”. While the process eventually ends in a “thrown error that is catchable,” the resulting resource exhaustion can effectively take down an application server, preventing legitimate users from accessing the service.

This vulnerability is highly specific to applications utilizing particular React Server Component packages in conjunction with a server-side environment. You are affected if you use any of the following packages:

• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack

The impacted versions include:

• 19.0.0 through 19.0.4
• 19.1.0 through 19.1.5
• 19.2.0 through 19.2.4

Who is safe? If your app’s React code “does not use a server,” or if you do not use a “framework, bundler, or bundler plugin that supports React Server Components,” your application is not affected by this flaw.

The React team has moved quickly to backport security fixes to the affected release branches. Developers are “recommended to update immediately” to the following patched versions to mitigate the risk of a DoS attack:

• Upgrade to 19.0.5 (for the 19.0.x branch)
• Upgrade to 19.1.6 (for the 19.1.x branch)
• Upgrade to 19.2.5 (for the 19.2.x branch)

As React Server Components become more deeply embedded in the modern web development workflow, maintaining the security of these server-side endpoints is critical. Patching to the latest version is the only way to ensure your application remains resilient against resource exhaustion attacks.