Critical Next.js Vulnerability in React Server Components: Upgrade Now

The Short Version

Two vulnerabilities were disclosed in the Next.js React Server Components (RSC) implementation in March 2026:

• Critical (CVSS 10.0): A flaw in the RSC protocol allows remote code execution without authentication
• High severity: A denial-of-service vulnerability in the same subsystem

Every Next.js version from 13.x through 16.x is affected. If you run Next.js in production, patching this is your top priority today.

Why CVSS 10.0 Is the Ceiling

CVSS 10.0 means an attacker can execute arbitrary code on your server remotely, with no credentials required. For a server-side framework like Next.js that handles requests, processes data, and may access databases and internal services, the blast radius of an RCE vulnerability is severe.

The RSC protocol handles serialized data between server and client. A flaw in how this data is parsed or executed creates a vector for injecting malicious payloads.

Remediation Steps

1. Identify your current version

# Check package.json
cat package.json | grep '"next"'
 
# Or list installed version
npm list next

2. Upgrade to the latest patch

Security patches are available across all affected minor branches:

# npm
npm install next@latest
 
# yarn
yarn upgrade next@latest
 
# pnpm
pnpm update next@latest

If your project pins an exact version, update to the patched release for your minor branch rather than jumping to the latest major.

3. Verify your build

npm run build
npm test

Don't skip this step. Security patches occasionally introduce minor behavioral changes, and it's better to catch them before deploying.

4. Deploy

Ship the upgrade as soon as tests pass. On Vercel, pushing the updated package.json triggers a new deployment automatically. For self-hosted setups, update your deployment pipeline to pull the patched version.

Handling Lock Files and CI

If your CI pipeline uses package-lock.json or yarn.lock, update them explicitly:

npm install
git add package-lock.json package.json
git commit -m "security: upgrade next.js to patch CVE-RSC-2026"
git push

For Docker-based setups, rebuild your image after updating:

docker compose up -d --build

If you use a base image that installs dependencies at build time, make sure the updated lock file is included in the image context.

"We Don't Use React Server Components" — Still Affected?

Yes. Even projects using only the Pages Router include RSC-related code in Next.js 13+. The vulnerability lives in the framework internals, not in your application code. Upgrade regardless of which rendering strategy you use.

Scanning Multiple Projects at Once

If you maintain several Next.js applications, npm audit can surface the issue across all of them:

# Run in each project root
npm audit
 
# Apply non-breaking patches automatically
npm audit fix

For portfolio-wide scanning, tools like Dependabot or Renovate can automate upgrade PRs across repositories — worth setting up if you haven't already.

Prioritizing Response Across Environments

Lessons for Ongoing Dependency Hygiene

Critical vulnerabilities in widely-used frameworks are inevitable. The teams with the least disruption are those with:

1. Automated dependency PRs (Renovate, Dependabot) — reduces the manual effort of staying current
2. npm audit in CI — catches new advisories before they ship
3. Short upgrade cycles — teams on monthly or quarterly update schedules are exposed longer

# Example: GitHub Actions audit check
- name: Security audit
  run: npm audit --audit-level=high

Adding this to your CI pipeline means a high or critical advisory fails the build, prompting immediate attention rather than being noticed weeks later.

Summary

Patch your Next.js installations now. The CVSS 10.0 rating and the scope — all versions from 13 through 16 — make this one of the more serious framework vulnerabilities in recent memory. The fix is a version bump; the risk of not patching is real RCE exposure.

If you need help coordinating upgrades across multiple projects or environments, reach out to the webhani team.