Critical Security Vulnerability in React Server Components

> An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server. ..Affected: next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.

Oof, that's bad. Good thing I've only used RSC for static site generation and don't run it on a production server.

React first caused Cloudflare down with simple hook then now, a new feature server components causing an issue... I would rather be coding with HTMX....

More discussion: https://news.ycombinator.com/item?id=46136067

Next[0] does have fixes for this. Fixed versions:

* 15.0.5

* 15.1.9

* 15.2.6

* 15.3.6

* 15.4.8

* 15.5.7

* 16.0.7

[0]: https://nextjs.org/blog/CVE-2025-66478

It's a wonderful day on the Internet. A beautiful day for a CVSS 10 exploit!