Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-fa57-smff-sbg2
SummaryA denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.
Aliases
0
alias CVE-2026-23869
1
alias GHSA-479c-33wc-g2pg
Fixed_packages
0
url pkg:npm/react-server-dom-parcel@19.1.6
purl pkg:npm/react-server-dom-parcel@19.1.6
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-parcel@19.1.6
1
url pkg:npm/react-server-dom-parcel@19.2.5
purl pkg:npm/react-server-dom-parcel@19.2.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-parcel@19.2.5
2
url pkg:npm/react-server-dom-turbopack@19.0.5
purl pkg:npm/react-server-dom-turbopack@19.0.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.0.5
3
url pkg:npm/react-server-dom-turbopack@19.1.6
purl pkg:npm/react-server-dom-turbopack@19.1.6
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.1.6
4
url pkg:npm/react-server-dom-turbopack@19.2.5
purl pkg:npm/react-server-dom-turbopack@19.2.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.2.5
5
url pkg:npm/react-server-dom-webpack@19.0.5
purl pkg:npm/react-server-dom-webpack@19.0.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-webpack@19.0.5
6
url pkg:npm/react-server-dom-webpack@19.1.6
purl pkg:npm/react-server-dom-webpack@19.1.6
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-webpack@19.1.6
7
url pkg:npm/react-server-dom-webpack@19.2.5
purl pkg:npm/react-server-dom-webpack@19.2.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-webpack@19.2.5
Affected_packages
0
url pkg:npm/react-server-dom-parcel@19.0.0
purl pkg:npm/react-server-dom-parcel@19.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bwdv-fw3h-dfce
1
vulnerability VCID-fa57-smff-sbg2
2
vulnerability VCID-hznz-envu-kfcq
3
vulnerability VCID-pqwe-3ukm-dkh4
4
vulnerability VCID-q3r3-ykj4-3qbr
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-parcel@19.0.0
1
url pkg:npm/react-server-dom-parcel@19.1.0
purl pkg:npm/react-server-dom-parcel@19.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bwdv-fw3h-dfce
1
vulnerability VCID-fa57-smff-sbg2
2
vulnerability VCID-hznz-envu-kfcq
3
vulnerability VCID-pqwe-3ukm-dkh4
4
vulnerability VCID-q3r3-ykj4-3qbr
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-parcel@19.1.0
2
url pkg:npm/react-server-dom-parcel@19.2.0
purl pkg:npm/react-server-dom-parcel@19.2.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bwdv-fw3h-dfce
1
vulnerability VCID-fa57-smff-sbg2
2
vulnerability VCID-hznz-envu-kfcq
3
vulnerability VCID-pqwe-3ukm-dkh4
4
vulnerability VCID-q3r3-ykj4-3qbr
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-parcel@19.2.0
3
url pkg:npm/react-server-dom-turbopack@19.0.0
purl pkg:npm/react-server-dom-turbopack@19.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bwdv-fw3h-dfce
1
vulnerability VCID-fa57-smff-sbg2
2
vulnerability VCID-hznz-envu-kfcq
3
vulnerability VCID-pqwe-3ukm-dkh4
4
vulnerability VCID-q3r3-ykj4-3qbr
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.0.0
4
url pkg:npm/react-server-dom-turbopack@19.1.0
purl pkg:npm/react-server-dom-turbopack@19.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bwdv-fw3h-dfce
1
vulnerability VCID-fa57-smff-sbg2
2
vulnerability VCID-hznz-envu-kfcq
3
vulnerability VCID-pqwe-3ukm-dkh4
4
vulnerability VCID-q3r3-ykj4-3qbr
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.1.0
5
url pkg:npm/react-server-dom-turbopack@19.2.0
purl pkg:npm/react-server-dom-turbopack@19.2.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bwdv-fw3h-dfce
1
vulnerability VCID-fa57-smff-sbg2
2
vulnerability VCID-hznz-envu-kfcq
3
vulnerability VCID-pqwe-3ukm-dkh4
4
vulnerability VCID-q3r3-ykj4-3qbr
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.2.0
6
url pkg:npm/react-server-dom-webpack@19.0.0
purl pkg:npm/react-server-dom-webpack@19.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bwdv-fw3h-dfce
1
vulnerability VCID-fa57-smff-sbg2
2
vulnerability VCID-hznz-envu-kfcq
3
vulnerability VCID-pqwe-3ukm-dkh4
4
vulnerability VCID-q3r3-ykj4-3qbr
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-webpack@19.0.0
7
url pkg:npm/react-server-dom-webpack@19.1.0
purl pkg:npm/react-server-dom-webpack@19.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bwdv-fw3h-dfce
1
vulnerability VCID-fa57-smff-sbg2
2
vulnerability VCID-hznz-envu-kfcq
3
vulnerability VCID-pqwe-3ukm-dkh4
4
vulnerability VCID-q3r3-ykj4-3qbr
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-webpack@19.1.0
8
url pkg:npm/react-server-dom-webpack@19.2.0
purl pkg:npm/react-server-dom-webpack@19.2.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bwdv-fw3h-dfce
1
vulnerability VCID-fa57-smff-sbg2
2
vulnerability VCID-hznz-envu-kfcq
3
vulnerability VCID-pqwe-3ukm-dkh4
4
vulnerability VCID-q3r3-ykj4-3qbr
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-webpack@19.2.0
References
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23869.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23869.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23869
reference_id
reference_type
scores
0
value 0.00322
scoring_system epss
scoring_elements 0.55259
published_at 2026-04-11T12:55:00Z
1
value 0.00322
scoring_system epss
scoring_elements 0.5522
published_at 2026-04-13T12:55:00Z
2
value 0.00322
scoring_system epss
scoring_elements 0.55238
published_at 2026-04-12T12:55:00Z
3
value 0.00322
scoring_system epss
scoring_elements 0.55247
published_at 2026-04-09T12:55:00Z
4
value 0.00688
scoring_system epss
scoring_elements 0.71777
published_at 2026-04-18T12:55:00Z
5
value 0.00688
scoring_system epss
scoring_elements 0.71772
published_at 2026-04-16T12:55:00Z
6
value 0.00688
scoring_system epss
scoring_elements 0.7176
published_at 2026-04-21T12:55:00Z
7
value 0.00728
scoring_system epss
scoring_elements 0.72709
published_at 2026-04-29T12:55:00Z
8
value 0.00728
scoring_system epss
scoring_elements 0.72704
published_at 2026-04-24T12:55:00Z
9
value 0.00728
scoring_system epss
scoring_elements 0.72713
published_at 2026-04-26T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23869
2
reference_url https://github.com/facebook/react
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/facebook/react
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23869
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23869
4
reference_url https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2456663
reference_id 2456663
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2456663
6
reference_url https://github.com/advisories/GHSA-479c-33wc-g2pg
reference_id GHSA-479c-33wc-g2pg
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-479c-33wc-g2pg
7
reference_url https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg
reference_id GHSA-479c-33wc-g2pg
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-08T19:55:33Z/
url https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg
Weaknesses
0
cwe_id 502
name Deserialization of Untrusted Data
description The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
1
cwe_id 400
name Uncontrolled Resource Consumption
description The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
2
cwe_id 770
name Allocation of Resources Without Limits or Throttling
description The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
Exploits
Severity_range_score7.0 - 8.9
Exploitability0.5
Weighted_severity8.0
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-fa57-smff-sbg2