Security researchers have identified two critical Remote Code Execution (RCE) vulnerabilities in React and Next.js, both rated at the highest severity score of CVSS 10.0. These flaws pose a significant risk, allowing attackers to fully compromise server infrastructure.
What’s the Issue?
The vulnerabilities stem from how React Server Components (RSC) handle data. The server blindly trusts incoming client information, which enables unauthenticated users to send malicious requests that execute arbitrary code on the server.
Who is Affected?
This widespread issue not only impacts React but also has been automatically inherited by Next.js, particularly affecting modern applications using the App Router. The exploit is trivial and requires no user interaction, making it especially dangerous.
What Should You Do?
Immediate action is required. Development of new features should be halted, and teams must update to the latest patched versions of Next.js and React right away. This is crucial to close the security vulnerability before it can be exploited.
Conclusion
To protect your applications and server infrastructure, it’s imperative to address these vulnerabilities with urgency.
