React Server Components Flaw Enables Denial-of-Service Attacks on 19.2.x Deployments

A critical vulnerability in React's Server Components architecture exposes applications running version 19.2.0 through 19.2.4 to denial-of-service conditions. Tracked as CVE-2026-23869 with a CVSS score of 7.5, the flaw resides in the `react-server-dom-webpack` package—a component bundled with React 19.2.x that handles server-side rendering and client-server communication. The issue stems from insufficient bounds checking during deserialization of HTTP requests directed at Server Function endpoints, allowing specially crafted payloads to trigger uncontrolled CPU consumption.

The vulnerability, disclosed on April 10, 2026, affects any deployment leveraging React 19.2.x's server rendering capabilities, particularly those exposing custom Server Function endpoints to untrusted network traffic. Attackers can exploit the flaw by sending malformed requests that bypass existing input validation, causing server processes to hang or consume resources beyond acceptable thresholds. The bundled `react-server-dom-webpack` package does not independently enforce strict deserialization limits, leaving the responsibility to application-level mitigations that may be absent in older codebases.

The fix is straightforward but requires immediate action: applications must upgrade both `react` and `react-dom` to version 19.2.5 or later, which includes a patched build of `react-server-dom-webpack`. Organizations running affected React versions behind public-facing endpoints or API gateways face the highest exposure, especially where Server Functions handle user-supplied data. Security teams should audit server-side request handling paths and verify that load balancers or WAFs are not relied upon as the sole mitigation layer, given the application-level nature of the deserialization flaw.