React Server Components Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in React Server Components, specifically in the packages react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. This vulnerability affects versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4. The issue arises when specially crafted HTTP requests are sent to Server Function endpoints, causing excessive CPU usage for up to a minute before triggering a catchable error.

Impact

Exploitation of this vulnerability leads to significant CPU exhaustion, causing the application to become unresponsive for a period of up to one minute, before the error is thrown.

Remediation

Users of the affected packages are advised to upgrade to versions 19.0.5, 19.1.6, or 19.2.5. If an application does not use a server or a framework, bundler, or bundler plugin that supports React Server Components, it is not affected by this vulnerability.