Critical Security Vulnerability in React Server Components

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Comments

lioetersDec 3, 2025, 4:53 PM
> An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server. ..Affected: next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.

Oof, that's bad. Good thing I've only used RSC for static site generation and don't run it on a production server.

bek-shoyatbekDec 3, 2025, 7:57 PM
React first caused Cloudflare down with simple hook then now, a new feature server components causing an issue... I would rather be coding with HTMX....
ChrisArchitectDec 3, 2025, 5:38 PM
More discussion: https://news.ycombinator.com/item?id=46136067
ChrisArchitectDec 3, 2025, 10:27 PM
More more discussion: https://news.ycombinator.com/item?id=46136026
jmhollaDec 3, 2025, 4:39 PM
Next[0] does have fixes for this. Fixed versions:

* 15.0.5

* 15.1.9

* 15.2.6

* 15.3.6

* 15.4.8

* 15.5.7

* 16.0.7

[0]: https://nextjs.org/blog/CVE-2025-66478

VeliladonDec 3, 2025, 3:56 PM
It's a wonderful day on the Internet. A beautiful day for a CVSS 10 exploit!