A newly disclosed vulnerability in React Server Components can bring production servers to a complete halt using nothing more than a single, carefully crafted HTTP request — no credentials, no special access required.
Researchers at Imperva's Offensive Team discovered and reported the flaw, tracked as CVE-2026-23869 and dubbed "React2DoS." Rated high severity, the issue affects React Server Components version 19.2.4 and below. It also impacts Next.js versions 13.x through 16.x that use the App Router.
React Server Components rely on a custom serialisation mechanism called the
Flight protocol to stream UI data from server to browser. The vulnerability
lives inside how Flight handles Map and Set constructors during
deserialization (the process of reconstructing data sent by a client).
The researchers found that by embedding a self-referencing chunk —
specifically, a root element that references itself — they could force the
server to repeatedly re-execute a failed Map constructor. A consumed flag
exists to prevent multiple computations of the same reference, but it only
activates when a reference resolves successfully. Because the malformed Map
never resolves, the guard never triggers.
That's bad on its own. But the researchers then refined it further: by mixing valid map entries with self-references, they achieved quadratic complexity — meaning the computational cost grows far faster than the payload. With a payload of just tens of kilobytes, the computation can last several minutes. By repeating requests, a complete denial-of-service can be achieved.
A single request can cause excessive CPU usage for up to a full minute before eventually throwing a catchable error.
This isn't the first time React's Flight protocol has drawn scrutiny. The earlier React2Shell vulnerability triggered emergency patches and intense industry scrutiny earlier this year, followed by CVE-2026-23864, a related CPU exhaustion issue involving oversized BigInt values. React2DoS is measurably worse — at payload sizes in the hundreds of kilobytes range, it outpaces CVE-2026-23864 by several orders of magnitude.
The affected npm packages include react-server-dom-parcel,
react-server-dom-turbopack, and react-server-dom-webpack across React 19.0,
19.1, and 19.2 branches. Patched versions are 19.0.5, 19.1.6, and 19.2.5.
Upgrade immediately.
For teams that can't patch right away: Vercel has deployed WAF rules to automatically protect all hosted projects at no cost, Fastly has released a virtual patch available through its Next-Gen WAF templated rules, and Cloudflare has activated an existing WAF rule (aaede80b4d414dc89c443cea61680354) for proactive coverage.
Client-side-only React apps are not affected. The risk is scoped to applications that use React Server Components with server functions exposed over the network.