This isn’t another “theoretical vulnerability” that security vendors overhype. This is a CVSS 10.0 remote code execution bug that lets attackers take over your server with nothing more than a crafted HTTP request. No authentication needed. No user interaction. Just one request and they’re in.
And we are seeing real-world exploitation:
And its already being exploited in real-time.
Within hours of the December 3rd disclosure, Chinese state-sponsored groups were scanning for vulnerable servers. Now cryptominers are everywhere, and attackers are dropping shells on compromised systems. This isn’t coming—it’s here.
Your default Next.js app is vulnerable, but the fix is simple.
If you ran create-next-app and deployed to production, you’re exposed. No special configuration required. The flaw is in React Server Components, which Next.js uses by default. Standard setup = vulnerable. Update React to 19.0.1, 19.1.2, or 19.2.1 depending on your version. Update Next.js to 15.1.4 or 16.0.1. That’s it. Don’t wait for your normal patch cycle. Do it now.
DO NOT RELY ON WAFs!
Some vendors pushed out WAF rules, but they’re runtime protections at best. The only real fix is patching. If you’re relying on a WAF and haven’t updated the actual code, you’re still exposed.
How to check to see if you’re vulnerable.
Look at your React version. If you see 19.0, 19.1.0, 19.1.1, or 19.2.0, you’re vulnerable. Also, check Next.js too as versions before 15.1.4 and 16.0.1 are affected.
Run this in your project:
npm list react react-dom next create-next-app If those version show up, patch immediately!
Your dev team saying “oh we’ll get to it next sprint” isn’t going to cut it. This is a perfect 10.0 severity, attackers are already in production systems, and if you’re running React 19.x or Next.js 15.x/16.x, you’re exposed right now.
Patch today. Not Friday. Not next week. Today.
And if you’re sitting there wondering what apps are actually vulnerable in your environment, or if your devs really patched everything they said they did then we need to talk. We’ll find what’s exposed, verify your patches actually took, and make sure you’re not the next headline.
Don’t wait for the breach notification.