RCE-info Brief (Redacted)

This is the redacted brief used at the start of the RSC investigation. Sensitive headers/cookies were removed.

Important: this brief provided advisory context and a sample request shape. It did not include a confirmed exploit request.

Advisory Snapshot #

• Claimed issue: unauthenticated RCE via React Server Components (“Flight”) deserialization.
• Affected: React 19.0–19.2; Next.js 14.3-canary and 15.x/16.x (App Router).
• Patched: React 19.0.1/19.1.2/19.2.1; Next.js 14.3-canary.88, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7.
• Target setup: local sample app with an RSC route at /test.

Trimmed Request Shape #

fetch("http://localhost:3002/test", {
  headers: {
    accept: "text/x-component",
    "content-type": "text/plain;charset=UTF-8",
    "next-action": "405df4032e3eac902896c6c4b441ecad99122c38d2",
    "next-router-state-tree": "[...]",
    Referer: "http://localhost:3002/test",
    cookie: "[redacted]"
  },
  body: "[\"examplepostdata\"]",
  method: "POST"
});

Original Goal #

Build a working exploit.js focused only on the alleged RCE path by diffing patched vs unpatched code and validating behavior in a local test app.