TL;DR: React and Next.js are vulnerable in default configurations to unauthenticated RCE with no prerequisites. Our exploitation tests show that a standard Next.js application created via create-next-app and built for production is vulnerable without any specific code modifications by the developer.Technical DetailsA critical vulnerability has been identified in the React Server Components (RSC) "Flight" protocol, affecting the React 19 ecosystem and frameworks that implement it, most notably Ne...