Critical React/Next.js RCE Vulnerabilities: What You Need to Know

So… what actually happened? A little story from December 3rd, 2025

Two critical remote code execution vulnerabilities were disclosed in React Server Components and their integration with Next.js.
If you work anywhere near modern frontend stacks, this felt more like: “Hey, your favorite framework might have a garage-door–sized hole in it.”
Technically speaking, the issue allowed attackers to tamper with the React Server Components “Flight” protocol. In certain configurations, that could lead to full server compromise.

Who was affected?

If your app uses React Server Components or Next.js, especially newer builds that rely heavily on RSC, you were potentially exposed.
Across the industry, teams immediately dove into:

• version checks,
• emergency patching,
• log reviews,
• and general “did anything weird happen last night?” investigations.

At USUA, our engineers jumped into rapid internal reviews as well – validating our environments and double-checking protection layers for our clients.

What should you do right now?

Stay calm, act quickly.
1. Update immediately.
Check your versions of React Server Components and Next.js and upgrade to the patched releases.
2. Assume exposure, verify safety.
If you were running a vulnerable build:

• remove old deployments,
• rotate secrets,
• scan logs for suspicious behavior.

3. Re-run your security tools.
Static analysis, CI security checks, dependency scanners – run everything again.
At USUA we call this “fresh scan, fresh eyes.” It works.

What happens next?

Like any major zero-day, the initial disclosure is just the beginning. More details and recommendations will surface as investigations continue.
If you’re running production apps on React or Next.js – update today, not “later this week.”
If you’re a tech lead – audit every repo.
If you’re an engineer – let your team know.

At USUA, we live by a simple rule:
“The fastest patch is the best patch”