A significant security flaw has been discovered in React Server Components (RSC), affecting thousands of applications built with React 19 and the Next.js App Router. The issue arises from unsafe deserialization within the RSC “Flight” protocol, which allows attackers to inject malicious payloads, potentially leading to Remote Code Execution (RCE).
Why This Matters
- RSC is fundamental to React’s modern architecture.
- Many applications utilise RSC without realising the associated backend risks.
- Even new projects created with
create-next-appcan be vulnerable. - The flaw impacts core RSC packages in React 19.
What Developers Should Do
- Upgrade React to versions 19.0.1, 19.1.2, or 19.2.1.
- Update Next.js to the latest patched versions (15/16).
- Audit and secure any RSC-related server endpoints.
- Monitor logs for suspicious RSC traffic.
Final Thoughts
Framework-level vulnerabilities like this highlight the diminishing line between frontend and backend responsibilities. As React continues to evolve, developers must remain vigilant about security.
If React or Next.js is part of your technology stack, update immediately and use this as a reminder to prioritise dependency security.
Top comments (1)
This is a serious reminder that even frontend frameworks like React can introduce backend risks. Upgrading React and Next.js immediately and auditing RSC endpoints is critical to prevent potential RCE attacks. Security can’t be an afterthought, even in modern full-stack setups.