> An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server. ..Affected: next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.
Oof, that's bad. Good thing I've only used RSC for static site generation and don't run it on a production server.
React first caused Cloudflare down with simple hook then now, a new feature server components causing an issue... I would rather be coding with HTMX....
[+] [-] lioeters|3 months ago|reply
Oof, that's bad. Good thing I've only used RSC for static site generation and don't run it on a production server.
[+] [-] bek-shoyatbek|3 months ago|reply
[+] [-] ChrisArchitect|3 months ago|reply
[+] [-] ChrisArchitect|3 months ago|reply
[+] [-] jmholla|3 months ago|reply
* 15.0.5
* 15.1.9
* 15.2.6
* 15.3.6
* 15.4.8
* 15.5.7
* 16.0.7
[0]: https://nextjs.org/blog/CVE-2025-66478
[+] [-] Veliladon|3 months ago|reply