NextJS Security Vulnerability

A scary bug hit Next.js sites using the App Router: a flaw in React Server Components (a feature that renders parts of your app on the server) could let attackers run their own code on your server—aka remote code execution. Severity? CVSS 10.0: the max‑level red alert. The fix is out across Next.js 15.x and 16.x (and you should upgrade now), while anyone on experimental 14.3.0 “canary” is told to downgrade to stable. There’s no switch to turn this off, and the team is keeping details light to protect those who haven’t patched. Credit goes to researcher Lachlan Davidson for the responsible heads‑up.

But the real show is the comments. One camp is yelling “it’s a React bug,” another is convinced Next.js messed up, and everyone’s stress‑posting memes. Over on HN, users dropped spicy lines like “same as the React RCE,” while others dunked on teams shipping canary builds to production: “Canary means bird, not business.” Some devs flexed they’re safe because they use the older Pages Router or Edge Runtime, while App Router users scrambled for patches. The mood? A mix of blame game, gallows humor (“RCE = Really Cooked Ecommerce”), and urgent upgrade guides—plus debates about whether holding back technical details is smart caution or corporate spin. Drama level: full stack.