Next.js and React on Chopping Block

seriously rough time for javascript developers. last week i was writing about the digital sandworm Sha1-Hulud eating its way through the npm ecosystem and now we have a critical RCE vulnerability in React and Next.js where a relatively simple HTTP request can execute code on your server (full disclosure, we have failed, so far, to recreate said payload… so far…).

from what the reports say this morning roughly 40% of cloud environments are suspected to still be running vulnerable versions and exploitation has a near 100% success rate in testing, which is not exactly the sort of reliability you want from your security vulnerabilities but is exactly the sort that script kiddies like us dream about.

uncovered by the suddenly famous lachlan2k the problem is in the React Server Components Flight protocol which allows an attacker to use insecure deserialization to influence server side execution logic. the real kicker is that the vulnerability exists in default configuration, so if you spun up a standard Next.js app with create-next-app and built it for production without changing anything you are already exposed. it’s basically the same flaw in both Next.js and React so if you are running React 19.x or Next.js 14.3.0-canary, 15.x, or 16.x you need to patch immediately. hardened releases are available now, so this is one of those drop everything, check versions, and update kind of situations, because unlike the Sha1-Hulud worm that leaves you a calling card to let you know you have been compromised, this one just quietly walks in through the front door.