What is CVE-2026-23869? Detailed patching & update guide

A high-severity Denial of Service vulnerability in React 19 is allowing attackers to fully lock up server CPU without any authentication. This vulnerability is actively exploited in the wild and poses a direct threat to any system running React Server Components.

What is CVE-2026-23869?

CVE-2026-23869 is a HIGH-severity security vulnerability (7.5/10) affecting web applications using React 19 with Server Actions. This is the third vulnerability in a series related to the same underlying issue. Previous patches released in December 2025 and January 2026 failed to fully resolve the problem. This flaw is currently being exploited in the wild; attackers require no account and minimal technical skill—simply sending a specially crafted request can cause a server to stop functioning entirely.

System paralysis mechanism

React Server Components operate based on the Flight protocol to transmit data between the client and server. When a user performs a Server Action, the request is sent as multipart/form-data, and the server proceeds to deserialize the payload using the reviveModel() function.

However, the vulnerability arises because React fails to verify whether keys in the payload are "own properties" or inherited "prototype properties." Attackers exploit this oversight to inject infinite circular references and perform prototype traversal techniques to deceive the system's decoder. Instead of processing routine tasks, the server exhausts its CPU resources trying to resolve these endless malicious requests, leading to an immediate and total system hang.

Real-world risks of exploitation

Total Service Outage: The server's resources are completely hijacked, making it unable to serve any users for the duration of the attack.
Infinite Downtime: Each malicious request freezes the server for approximately 60 seconds. Attackers can send these requests continuously and automatically, maintaining a crashed state indefinitely.
Extremely Low Barrier to Entry: No account or advanced technical expertise is required. Anyone on the internet can execute this attack.
Direct Revenue Impact: All transactions and user interactions with the system are disrupted during the attack period.

VNIS — Web/App/API Security & Acceleration Solution

Immediately upon the announcement of CVE-2026-23869, VNETWORK's VNIS quickly updated its defense rules to block exploitation requests targeting React Server Components, ensuring stable and uninterrupted system operations.

The VNIS WAAP security solution is built on AI—where AI is not just a supporting tool but plays a central role in constructing solutions, forecasting, identifying, and preventing increasingly sophisticated cyberattacks.