CVE-2026-23870
Published May 6, 2026
Last updated a month ago
AI description
CVE-2026-23870 is a denial-of-service vulnerability impacting React Server Components (RSC) and frameworks that utilize RSC functionality, such as Next.js. This flaw allows an attacker to trigger a denial of service by sending specially crafted HTTP requests to server function endpoints. Successful exploitation of this vulnerability can lead to server crashes, out-of-memory exceptions, or excessive CPU usage. The affected packages include `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack` across various versions of React 19.x.
- Description
- A denial of service vulnerability could be triggered by sending specially crafted HTTP requests to server function endpoints, this could lead to server crashes, out-of-memory exceptions or excessive CPU usage; affecting the following packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (versions 19.0.0 through 19.0.5, 19.1.0 through 19.1.6, and 19.2.0 through 19.2.5).
- Source
- cve-assign@fb.com
- NVD status
- Received
CVSS 3.1
- Type
- Secondary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Severity
- HIGH
- Hype score
- Not currently trending
直近のNext.jsのリリースで対応された脆弱性は記事を見るにこのあたりのことかな👀 CVE-2026-44574 CVE-2026-44575 CVE-2026-23870 CVE-2026-44578 CVE-2026-44579 Multiple Critical Vulnerabilities Patched in Next.js and React Server Components https://
@oTheRwoRldy
14 May 2026
301 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Next.js v16.2.4 Security PoC Collection CVE-2026-23870 CVE-2026-44575 CVE-2026-44579 CVE-2026-44574 CVE-2026-44578 CVE-2026-44573 CVE-2026-44581 CVE-2026-44580 CVE-2026-44577 CVE-2026-44576 CVE-2026-44582 CVE-2026-44572 https://t.co/255KwkLd0c via: Pr0xy
@Psycho10k_
11 May 2026
1975 Impressions
8 Retweets
43 Likes
28 Bookmarks
0 Replies
0 Quotes