RCE Vulnerability in React and Next.js

Posted by rayhaanj 12/3/2025

RCE Vulnerability in React and Next.js(github.com)

628 points | 258 commentspage 2

ksherlock 12/4/2025|

You can't have Vercel without RCE.

croemer 12/3/2025||

Link should go to: https://react.dev/blog/2025/12/03/critical-security-vulnerab...

dzonga 12/3/2025||

till this day, I don't know the substantial benefits of React Server Components over say classically rendered html pages + using htmx ?

mind you react in 2017 paid my rent. now cz of the complexity I refuse to work with react.

leptons 12/3/2025||

>now cz of the complexity I refuse to work with react.

What do you like to work with now?

TranquilMarmot 12/3/2025||

Right - you can NOT tell me that a sufficiently complex application using HTMX is easier to reason about than React. I've had to deal with a complex HTMX codebase and it is a nightmare.

ethanwillis 12/3/2025||

Right - you can NOT tell me that a sufficiently simple application using React is easier to reason about than HTMX. I've had to deal with a simple React codebase and it is a nightmare.

They don't address the exact same markets.

chatmasta 12/4/2025||

Yeah… one of them addresses a market populated by hundreds of thousands of developers with extensive professional experience in the framework, and the other addresses a niche of Python developers who refused to learn JavaScript until somebody hid it from them and called it hypermedia.

bdangubic 12/4/2025||

100’s of thousands used to use php too :) most developers (roughly 97.56% are terrible/incompetent so going with the herd should tell you you are on the wrong train :)

chatmasta 12/4/2025||

Thousands of developers still use PHP… and even more users… Wordpress (43% of web), Facebook (billions of users), Wikipedia (billions of users)…. all PHP.

htmx is a a toy, mildly amusing to play with, built on an insecure foundation that bypasses basic browser security controls and hands a blob of JavaScript to a bunch of backend developers who can’t be bothered to learn it because they think they know better…

No serious project uses htmx and none ever will, because it becomes an unmaintainable mess by the third developer and second year of development.

bdangubic 12/4/2025||

“No serious project uses [insert any framework/language/…] and none ever will, because it becomes an unmaintainable mess by the third developer and second year of development” if team is incompetent

switz 12/3/2025|||

They lend you optionality of when and where you want your code to run. Plus it enables you to define the server/client network boundary where you see fit and cross that boundary seamlessly.

It's totally fine to say you don't understand why they have benefits, but it really irks me when people exclaim they have no value or exist just for complexity's sake. There's no system for web development that provides the developer with more grounded flexibility than RSCs. I wrote a blog post about this[0].

To answer your question, htmx solves this by leaning on the server immensely. It doesn't provide a complete client-side framework when you need it. RSCs allow both the server and the client to co-exist, simply composing between the two while maintaining the full power of each.

[0] https://saewitz.com/server-components-give-you-optionality

ptx 12/3/2025|||

But is it a good idea to make it seamless when every crossing of the boundary has significant implications for security and performance? Maybe the seam should be made as simple and clear as possible instead.

paulhebert 12/3/2025||

Yep! It’s really hard to reason in Next about when things happen on the server vs client. This makes it harder to make things secure.

You can create clean separation in your code to make this easier to understand but it’s not well enforced by default.

samdoesnothing 12/4/2025||||

Just because something is made possible and you can do it doesn't mean you should!

The criticism is that by allowing you to do something you shouldn't, there isn't any benefit to be had, even if that system allows you to do something you couldn't before.

lobito25 12/7/2025|||

It also gives you a 10 cve

AstroBen 12/3/2025|||

You can optionally enhance it and use React on the client. Doing that with HTMX is doable with "islands" but a bit more of a pain in the ass - and you'll struggle hard if you attempt to share client state across pages. Actually there are just a lot of little gotchas with the htmx approach

I mean it's a lot of complexity but ideally you shouldn't bring it in unless you actually need it. These solutions do solve real problems. The only issue is people try to use it everywhere. I don't use RSC, standard SPAs are fine for my projects and simpler

venturecruelty 12/4/2025|||

React lets you inflate your salary.

nonethewiser 12/3/2025||

easier/more reactivity, doesnt require your api responses to be text parsable to html

karel-3d 12/4/2025||

I am so behind JavaScript that I didn't even know React can somehow run on a backend. I thought it's a frontend framework? Oh, well.

bitbasher 12/3/2025||

It's almost like trying to magically wire up your frontend to the backend through magical functions is a bad idea.

division_by_0 12/3/2025||

This reminds me of the recent SvelteKit Remote Functions GH discussion:

> Even in systems that prevent server functions from being declared in client code (such as "use server" in React Server Components), experienced developers can be caught out. We prefer a design that emphasises the public nature of remote functions rather than the fact that they run on the server, and avoids any confusion around lexical scope. [0]

[0] https://github.com/sveltejs/kit/discussions/13897

beders 12/3/2025|||

One could get the impression that the only really really important non-functional requirement for such a thing is to absolutely ensure that you can only call the "good" functions with the "good" payload.

dizlexic 12/3/2025|||

ikr, no way this could have been predicted and warned about for months and months before now.

bossyTeacher 12/3/2025|||

CV driven development needs new ideas for resume padding regardless of whether the idea is good or bad. Then you get this

baiwl 12/3/2025||

[flagged]

bitbasher 12/3/2025||

I don't think money is a good proxy for idea quality. AI? Blockchain? Crime in general? Plenty of bad ideas make a whole lot of money.

dizlexic 12/3/2025||

Enron made boat loads.

javaking 12/3/2025||

I'm not a javascript person so I was trying to understand this. if i get it right this is basically a way to avoid writing backend APIs and manually calling them with fetch or axios as someone traditionally would do. The closest comparison my basic java backend brain can make is dynamically generating APIs at runtime using reflection, which is something I would never do... I'm lazy but not dumb

jazzypants 12/4/2025||

It's an RPC. They're half a century old. Java had RMI within a year of existence. [0]

> In remote procedure call systems, client-side stub code must be generated and linked into a client before a remote procedure call can be done. This code may be either statically linked into the client or linked in at run-time via dynamic linking with libraries available locally or over a network file system. In either the case of static or dynamic linking, the specific code to handle an RPC must be available to the client machine in compiled form... Dynamic stub loading is used only when code for a needed stub is not already available. The argument and return types specified in the remote interfaces are made available using the same mechanism. Loading arbitrary classes into clients or servers presents a potential security problem;

https://pdos.csail.mit.edu/archive/6.824-2009/papers/waldo-r...

mvdtnz 12/3/2025|||

There is a certain category of developers (a category that multiplied in size many times over around the same time as the boom in coding bootcamps, take that for what you will) who believe that there's virtue in running the same code on the client and the server, despite them being totally different paradigms with different needs. This kind of thing is the predictable result.

mexicocitinluez 12/4/2025|||

> There is a certain category of developers (a category that multiplied in size many times over around the same time as the boom in coding bootcamps, take that for what you will) who believe that there's virtue in running the same code on the client and the server, despite them being totally different paradigms with different needs.

First, "same code on the client and the serve" is wrong. Since when do RSC's run on both the client and the server?

Also, you honestly believe that wanting to use the same language across paradigms is a "coding bootcamp" thing lol? That something like Blazor was born out of a coding bootcamp?

Have you ever built a web app? Both front and back end? Have you ever had to deal with the tension of duplicating code? Models, validation, ideas?

If you answered yes to those questions but still don't see how de-duplicating code like that can be important, than I'm 100% positive you're still in the boot camp.

chasd00 12/3/2025||||

to be fair to bootcamp developers, i don't think they ever did "believe that there's virtue" in the setup, they were just told this is what you use and how you use it.

homebrewer 12/3/2025||||

It's just the latest take on what we had 20 years ago with .NET's WebForms and Java's JSF. Both of which tried to hide the network separation between client and server and were not fun to work with.

Those who don't learn history are bound to repeat it, and all that.

venturecruelty 12/4/2025|||

"You can run JavaScript on the frontend and the backend!" always struck me as the weakest marketing ever. I've been around the block, and which language the web application uses is hardly any sort of limiting factor in ease of development. (And ideally, your frontend has as little JavaScript as possible anyway.) There is very little that can't be programmed in a more web-friendly way, like POSTing forms and rendering HTML templates. Sure, I guess Google Maps can just be a fat application, but like... every eCommerce site doesn't need to be some big ball of React mud, I promise.

jacquesm 12/4/2025||

I think the main problem was that 'the standard' wasn't evolving fast enough to solve the bulk of the issues around input validation and UI building so we got this crap language that is powerful enough to hide a thousand footguns in a few lines of code. It will never be perfect so it will generate this kind of issue for the next century or so.

If instead, we would have gradually expanded the HTML standard without adding a fully functional programming language into the content stream we would have had better consistency between websites and applications and we would treat the browser like what it is: a content delivery mechanism, not an application programming platform. That's the core mistake as far as I'm concerned.

IceDane 12/3/2025||

Not even remotely similar.

wepple 12/3/2025|||

Care to elaborate on what it is like, then?

mvdtnz 12/3/2025|||

Actually he's more or less correct.

c-hendricks 12/3/2025||

Anyone know how Tanstack Start isn't affected?

serhalp 12/3/2025||

TanStack Start has its own implementation of Server Functions: https://tanstack.com/start/latest/docs/framework/solid/guide.... It doesn't use React Server Functions, in part because it intends to be agnostic of the rendering framework (it currently supports React and Solid).

To be fair, they also haven't released (even experimental) RSC support yet, so maybe they lucked out on timing here.

dimitrisnl 12/3/2025||

They haven't implemented RSC yet.

auggierose 12/4/2025||

I like React, a lot. But it looks to me that RSC is not something I would use in an offline-first application anyway, is that right?

Raicuparta 12/4/2025||

Part of RSC is the ability to have each component fetch their own data on the server, or at build time. Meaning you can use this part for static pages, offline apps, etc. But that part is unrelated to this vulnerability.

vinnymac 12/4/2025||

You wouldn't use it in an offline-first application. But you can use it an offline-first application, and it isn't even very difficult.

I have built electron apps for fun that utilize React Server Components entirely offline.

ajross 12/3/2025||

The CVE says the that flaw is in React Server Components, which implies strongly that this is a RCE on the backend (!!), not the client.

heisenbit 12/3/2025||

I suspect client developers are also affected at least to the extent that they need to explain this RCE to CVE driven management.

padjo 12/3/2025|||

Where else would it be? What would an RCE of the client even mean?

ajross 12/3/2025|||

The term is always ambiguous. But react is generally understood as a client library and client-side vulnerabilities are hardly a new thing. XSS exists as a whole subfield of study precisely because of the difficulty of keeping site code from getting fooled by malicious input.

Basically you're technically correct with your quip, but engaging in some pretty awful security analysis. IMHO most people reading this headline are not going to understand that they need to audit their server dependencies.

cyptus 12/3/2025||||

it would be an RCE on your own machine :D

dfedbeef 12/4/2025|||

LCE

IceDane 12/3/2025||

Bravo.

oliverpk 12/4/2025|

So this can be avoided by using react like a normal person... client side rendering + bundled with vite

More comments...