AIKIDO-2026-10094
react-server-dom-turbopack is vulnerable to Denial of Service (DoS)
75
High Risk
This Affects:
react-server-dom-turbopackTL;DR
Affected versions of the react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack packages are vulnerable to multiple denial of service (DoS) issues in React Server Components. The previously applied DoS mitigations were incomplete, allowing specially crafted HTTP requests to Server Function endpoints to trigger server crashes, out-of-memory conditions, or excessive CPU usage, depending on the code path and application configuration. These issues are fixed in versions 19.0.4, 19.1.5, and 19.2.4. Applications that do not use React Server Components or server-side React functionality are not affected.
Who does this affect?
You are affected only if you are using a version within the vulnerable range and your application uses React Server Components. Applications that do not run React code on the server, or that do not use a framework, bundler, or bundler plugin supporting React Server Components, are not affected.
Background info
react-server-dom-turbopack is vulnerable to Denial of Service (DoS) in versions 19.0.0 - 19.0.3, 19.1.0 - 19.1.4 and 19.2.0 - 19.2.3.
How to fix this
Upgrade the react-server-dom-turbopack library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant