While exploring a production site built with React + Next.js, I hit a route that didn’t return HTML.
Instead, it returned the raw React Server Component (RSC) payload.
Things like:
• component tree references
• chunk mappings (/_next/static/...)
• providers (MantineProvider, ThemeProvider, etc.)
Basically, the server streamed internal rendering data instead of a fully hydrated page.
This usually points to:
• incorrect route handling (e.g. non-standard paths like .txt)
• misconfigured SSR / App Router setup
• wrong response headers (serving RSC as plain text instead of HTML)
Not a direct exploit, but still a form of information disclosure.
It exposes framework internals and signals potential deployment gaps.
With frameworks like Next.js, the server–client boundary is thin.
If the rendering pipeline breaks, you don’t just lose UI —
you expose how your app actually works under the hood.
Curious if others have encountered similar RSC leaks in production?
Top comments (0)