React Server Components Denial of Service (CVE-2026-23870)

Hosting Environment Impact

This vulnerability affects every environment that exposes React Server Components Server Function endpoints to external traffic.

• Next.js App Router (15.x / 16.x): Affected. Next.js itself was patched in the May 2026 coordinated release (≥ 15.5.16 / ≥ 16.2.5).
• Vercel / Netlify / Cloudflare Pages: Affected. Hosting adapters share the same RSC runtime — patched packages are mandatory regardless of deployment target.
• Self-hosted Node.js: Affected. If you run a custom RSC integration, you must upgrade react-server-dom-* directly.
• Parcel / Turbopack direct use: Affected. react-server-dom-parcel and react-server-dom-turbopack need the same patch.

Vulnerability Mechanism

React Server Components processes Server Function calls by accepting HTTP requests, deserializing the RSC payload (a serialized React tree) and executing it. The deserialization path lacked sufficient bounds (allocation caps, throttling, recursion limits) on input size, nesting depth, and repetition count. An attacker can deliberately send oversized or deeply nested payloads to trigger:

• Node.js heap exhaustion → Out of Memory exception
• Excessive CPU during (de)serialization → response latency → cascading impact on other requests served by the same instance

The CVSS 7.5 (High) rating reflects (1) no authentication required, (2) a single request can degrade service availability, and (3) every Next.js App Router project that relies on RSC is broadly affected.

Patch & Mitigation

1. Upgrade to the patched RSC packages (recommended)

Match the React major you are using:

# React 19.0.x line
npm install [email protected] \
            [email protected] \
            [email protected]

# React 19.1.x line
npm install [email protected] \
            [email protected] \
            [email protected]

# React 19.2.x line (recommended)
npm install [email protected] \
            [email protected] \
            [email protected]

2. Next.js users

Next.js App Router users do not interact with the RSC packages directly — patching Next.js itself is sufficient (the May 2026 release bundled the fix).

npm install [email protected]   # 15.x line
npm install [email protected]    # 16.x line
npm install next@latest    # latest stable

3. Temporary mitigations (before patching)

If you cannot apply the upstream patch immediately, layer the following defenses to reduce blast radius. Treat these as a stop-gap only, not a substitute for upgrading.

• Request body size limits: Cap incoming RSC endpoint bodies at the reverse proxy / WAF (Nginx, Cloudflare, AWS ALB) — for example 256 KB or 1 MB depending on your usage.
• Rate limiting: Throttle or block bursts of RSC requests from the same IP.
• Tighter request timeouts: Reduce Node.js request timeouts so a single attack request cannot starve the whole instance.

Summary

CVE-2026-23870 is a denial-of-service flaw in the React Server Components Server Function pipeline caused by missing resource bounds on payload handling. Any project that uses RSC or Next.js App Router should upgrade to the patched versions immediately.