> An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server. ..Affected: next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.
Oof, that's bad. Good thing I've only used RSC for static site generation and don't run it on a production server.
React first caused Cloudflare down with simple hook then now, a new feature server components causing an issue... I would rather be coding with HTMX....
> An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server. ..Affected: next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.
Oof, that's bad. Good thing I've only used RSC for static site generation and don't run it on a production server.
React first caused Cloudflare down with simple hook then now, a new feature server components causing an issue... I would rather be coding with HTMX....
Next[0] does have fixes for this. Fixed versions:
* 15.0.5
* 15.1.9
* 15.2.6
* 15.3.6
* 15.4.8
* 15.5.7
* 16.0.7
[0]: https://nextjs.org/blog/CVE-2025-66478
It's a wonderful day on the Internet. A beautiful day for a CVSS 10 exploit!
More discussion: https://news.ycombinator.com/item?id=46136067
More more discussion: https://news.ycombinator.com/item?id=46136026