## Next.js 15.4.1-15.4.8: Critical RCE Flaw in React Server Components Exposes Servers to Unauthenticated Attack
A critical vulnerability in Next.js versions 15.4.1 through 15.4.8 allows unauthenticated attackers to execute arbitrary code on affected servers. The flaw resides in the React Server Components (RSC) payload decoding mechanism, enabling remote code execution (RCE) through specially crafted HTTP requests. Crucially, exploitation does not require any explicitly implemented Server Function endpoints, meaning many standard Next.js deployments could be vulnerable to attack without any specific misconfiguration by developers.

The vulnerability, tracked internally as AIKIDO-2025-10869 and rated as critical severity, stems from a flaw in how Next.js processes RSC payloads. An attacker can send malicious HTTP requests to Server Function endpoints, which the flawed decoding logic fails to properly sanitize, leading to arbitrary code execution. This represents a severe security failure in a core framework component used by thousands of production applications for server-side rendering and data fetching.

The immediate fix requires upgrading Next.js to a patched version beyond 15.4.8. The upgrade path from 15.4.1 to 15.4.8 via a minor version update resolves the CVE without introducing breaking changes, but administrators must act swiftly. Any organization running Next.js applications, particularly those utilizing React Server Components, must treat this as an urgent patch priority to prevent potential server compromise and data breaches from unauthenticated remote attacks.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, vulnerability, web-framework, react, server-side
- **Credibility**: unverified
- **Published**: 2026-04-12 15:22:38
- **ID**: 60715
- **URL**: https://whisperx.ai/en/intel/60715