What is React2DoS CVE-2026-23869?

It's a high-severity DoS vuln in React Server Components' Flight protocol, letting attackers crash servers via recursive Map/Set references in payloads.

How does React2DoS attack work?

Crafted chunks self-reference before resolution, triggering repeated constructor calls—CPU exhaustion from tiny inputs like form data.

Is my Next.js app vulnerable to React2DoS?

Check react-server-dom version. Patch to latest experimental Flight builds; test with big payloads on staging.

🕳️ Vulnerabilities & CVEs

React2DoS: One Malicious Form Submit, and Your Server's Done

Picture this: a user submits a form on your Next.js site. Boom—your server freezes for seconds, maybe minutes. That's React2DoS in action, turning RSC's clever streaming into a DoS nightmare.

CVE Watch Apr 11, 2026 3 min read

React Flight protocol deserialization diagram showing recursive Map instantiation leading to DoS

⚡ Key Takeaways

React2DoS crashes servers with minimal payloads via Flight's recursive reference flaws 𝕏
Exposes risks in RSC shift to server-side logic and custom streaming 𝕏
Patch immediately—edge runtimes hit hardest, adoption may stall 𝕏

Published by

CVE Watch

Threat intelligence. Zero noise.

#CVE-2026-23869 #Flight protocol #Flight protocol DoS #React Server Components #React2DoS

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by Imperva Blog

⚡ Key Takeaways

The 60-Second TL;DR

CVE Watch

Share this article

Worth sharing?

Related Stories

React2Shell: CVE-2025-55182 Lets Hackers RCE Unpatched React Servers in One HTTP Shot

React Server Components' Hidden DoS Bomb: Time to Wake Up, Devs

UNC6201 Ditches BRICKSTORM for Sneakier GRIMBOLT in Dell Zero-Day Heist

Edge Decay: Attackers Are Breaching Your 'Secure' Firewall First

Stay in the loop