Why Your React & Nextjs App Might Be Vulnerable (And How to Fix It)
Usually, when we talk about security holes, it's because a developer forgot to sanitize an input field. In this case, the flaw was in the framework itself. The issue lies in how React Server Components handle data sent from the client to the server. When your app processes a request, it has to look up which function (or "Server Action")
If you’ve been on Tech Twitter this week, you’ve probably seen the fire alarms going off. A critical security vulnerability was discovered in React Server Components (RSC) specifically affecting Next.js versions 15 and 16.
We’re talking about a CVSS 10.0 severity score. In security terms, that’s not just a red flag; that’s a siren...!
If you are running a modern Next.js app, you need to upgrade immediately. But if you’re curious why this happened and how a single word constructor could take down a server, here is the technical breakdown.
The Technical Bit: Climbing the Prototype Chain
Imagine your server has a simple object containing the allowed actions a user can perform:
When a request comes in, the server effectively looks up actions[userInput].
The Attack: What happens if a hacker sends the string "constructor" as the input?
Even though you didn't define a constructor property in your actions object, JavaScript objects inherit from a global prototype. By default, every object has a hidden link to the global Object.
If the server code doesn't strictly check for ownership, asking for actions["constructor"] returns the Global Object Constructor.
The Vulnerability: It’s Not Your Code, It’s the Plumbing
Usually, when we talk about security holes, it's because a developer forgot to sanitize an input field. In this case, the flaw was in the framework itself.
The vulnerability is a classic Prototype Pollution style issue.
Why is that dangerous?
Getting the Object Constructor is like getting the master key to the building.
Once an attacker has access to the constructor, they can potentially climb the chain to access the Function constructor. In a Node.js environment, the Function constructor is incredibly powerful—it allows you to generate and execute code from strings (similar to eval).
The Fix: hasOwnProperty
The React team (and Vercel) patched this within hours. The fix was simple but critical.
Instead of blindly trusting the lookup, the framework now checks if the property actually belongs to that specific object, ignoring anything inherited.
In pseudo-code, the fix looks like this:
JavaScript
This ensures that if someone requests "constructor", the server says, "I don't see that written directly on this object," and blocks the request.
What You Need To Do
This isn't a "wait and see" situation. Because this allows unauthenticated remote code execution, bots will likely start scanning for this vulnerability soon.
- Check your package.json. If you are using next (v15 or v16) or react (v19 beta/canary), you are likely affected.
- Upgrade. Run npm update, pnpm update, or bun upgrade to pull the latest patch versions.
- Deploy. Push the update to production immediately.
Stay safe out there!