CVE-2026-23870: React Server Components DoS Flaw Hits Next.js App Router Apps; How to Reproduce Safely and Patch

A high-severity denial-of-service vulnerability in React Server Components can allow unauthenticated attackers to crash or degrade vulnerable server-side React applications by sending crafted HTTP requests to Server Function endpoints. Tracked as CVE-2026-23870, the flaw affects react-server-dom-* packages in React 19 release lines and downstream frameworks including Next.js App Router deployments.

The vulnerability carries a CVSS 7.5 High rating with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, meaning it is network-exploitable, low-complexity, requires no login, needs no user interaction and primarily affects availability. Successful exploitation can trigger excessive CPU usage, out-of-memory exceptions, server hangs or process crashes.

The immediate fix is straightforward: upgrade affected React Server Components packages to 19.0.6, 19.1.7 or 19.2.6, depending on the application’s React minor line. Next.js users running App Router should upgrade to patched Next.js versions, at minimum 15.5.16 or 16.2.5, with later patch releases preferred where available.

What Is Affected

The upstream vulnerability sits in the React Server Components package family used to support server-side component rendering and Server Functions. Client-only React apps are not automatically exposed. The risk applies when an application runs React on the server through tooling that supports React Server Components or Server Functions.

The most common real-world exposure is likely to be Next.js App Router, because App Router applications can expose Server Function endpoints backed by the affected React Server Components stack. Older Next.js 13.x and 14.x deployments should not assume they will receive backported fixes; teams should move to a supported patched line.

How the Attack Works

Public advisories describe the trigger as a specially crafted HTTP request sent to a Server Function endpoint. When the vulnerable server deserializes the request, it may allocate resources without sufficient throttling or enter expensive processing paths that consume excessive CPU or memory.

The issue is not a data-theft bug. The CVSS vector records no confidentiality or integrity impact. That does not make it harmless. Availability-only flaws can still take customer-facing applications offline, exhaust serverless budgets, force container restarts or create cascading failures behind load balancers.

B
Send crafted HTTP request
Vulnerable RSC request handling
CPU spike or memory exhaustion
DoS: crash, hang, 5xx errors
Unauthenticated attacker] --> B[Find exposed Server Function endpoint

Security teams should avoid conflating CVE-2026-23870 with earlier React Server Components vulnerabilities disclosed in late 2025 and early 2026. Those issues are related by component family and attack surface, but CVE-2026-23870 has its own affected version ranges and patch levels.

How to Reproduce Safely

A responsible reproduction should confirm exposure and patch effectiveness without publishing or running a weaponized denial-of-service payload against production systems. The public primary advisories do not provide an official exploit body, and defenders do not need one to identify vulnerable deployments.

Start by checking dependency versions in a controlled environment:

npm ls next react react-dom \
 react-server-dom-webpack \
 react-server-dom-parcel \
 react-server-dom-turbopack

For pnpm or Yarn:

pnpm why next
pnpm why react-server-dom-webpack
pnpm why react-server-dom-parcel
pnpm why react-server-dom-turbopack

yarn why next
yarn why react-server-dom-webpack

A vulnerable dependency tree might include:

[email protected]
[email protected]

That combination is exposed because [email protected] is below the patched 15.5.16 release and [email protected] is below the fixed 19.1.7 release.

Next, confirm whether the application uses App Router and Server Functions:

find app -type f \( -name "*.js" -o -name "*.jsx" -o -name "*.ts" -o -name "*.tsx" \) \
 -exec grep -nH "'use server'\|\"use server\"" {} \;

Likely exposure indicators include:

• An app/ directory in a Next.js project.
• Server Actions or Server Functions using 'use server'.
• Installed vulnerable next or react-server-dom-* versions.
• Publicly reachable endpoints backed by App Router Server Functions.

For non-destructive validation, build and run the app locally or in an isolated staging environment:

npm run build
npm run start

Then run a normal smoke test:

curl -i http://localhost:3000/

Monitor baseline CPU, memory and process behavior during ordinary requests:

top -o cpu
docker stats
pm2 monit

Do not run crafted payloads against production, third-party applications, shared hosting, public preview deployments or customer-facing environments. If an internal red team validates exploitability, it should do so only in an isolated lab using an approved test app and should compare vulnerable and patched versions under controlled monitoring.

How to Fix

For direct React Server Components users, upgrade the affected package to the patched version matching the current React minor line:

# React 19.0.x line
npm install [email protected]

# React 19.1.x line
npm install [email protected]

# React 19.2.x line
npm install [email protected]

If the application uses Parcel or Turbopack RSC packages, upgrade those as well:

npm install [email protected]
npm install [email protected]

For Next.js App Router applications, upgrade Next.js:

npm install [email protected]
# or
npm install [email protected]

Where possible, move to the newest patch release in the supported line, such as:

npm install [email protected]
# or
npm install [email protected]

After changing versions, perform a clean install and rebuild:

rm -rf node_modules
npm install
npm run build
npm test
npm audit --omit=dev
npm ls next react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack

Finally, redeploy every live environment, not only the main production deployment. Staging environments, branch deployments, preview builds, serverless functions and edge/server rendering environments can continue running vulnerable immutable builds even after the main branch is patched.

Temporary Mitigations

Upgrading is the only reliable fix. If a same-day upgrade is blocked, teams can reduce exposure while preparing the patch:

Detection should focus on symptoms: sudden CPU spikes, heap growth, out-of-memory logs, repeated POST requests to App Router or Server Function endpoints, bursts of 5xx responses and increased serverless duration or cost.

Useful triage commands include:

grep -Ei 'POST|multipart/form-data|text/x-component|_rsc|server' access.log \
 | awk '{print $1}' \
 | sort | uniq -c | sort -nr | head

grep -Ei 'out of memory|heap|cpu|timeout|server action|server function|react-server-dom' app.log

kubectl top pods
kubectl logs deploy/nextjs-deployment-name --since=2h | grep -Ei 'heap|memory|timeout|react-server-dom'

CVE-2026-23870 is a reminder that server-side component frameworks have become part of the application attack surface, not merely developer tooling. Teams that adopted React Server Components or Next.js App Router should treat RSC package versions as production security dependencies, verify transitive updates through lockfiles, and redeploy all exposed environments after patching.