GHSA-479c-33wc-g2pg · Severity: high · Ecosystem: npm — React Server Components have a Denial of Service Vulnerability
A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.
Conclusion & alert: CVE-2026-23869 is rated Moderate Risk (56.3/100): CVSS High severity, with medium exploitation likelihood (EPSS 0.84%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-05-10 | 0.69% | 0.84% | +0.15% |
| 2 | 2026-04-16 | 0.42% | 0.69% | +0.26% |
| 3 | 2026-04-14 | — | 0.42% | — |
Full EPSS history (4 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
GHSA-479c-33wc-g2pg · Severity: high · Ecosystem: npm — React Server Components have a Denial of Service Vulnerability
| vendor | priority | summary | link |
|---|---|---|---|
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2026-23869 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| No affected products in dataset. | |||