Skip to main content
Deno 2.5 is here 🎉
Learn more

React Server Functions / Next.js Vulnerability: Deno Deploy users protected

TL;DR: A critical Remote Code Execution (RCE) vulnerability has been found in React Server Functions and Next.js. Deno has implemented mitigations in Deno Deploy. Immediate upgrades are required for other users.

This is part of coordinated vulnerability disclosure with the Meta Security Team, and the Next.js team at Vercel, regarding a critical severity Remote Code Execution (RCE) vulnerability in React Server Functions.

On Saturday, November 29th 2025, a security researcher responsibly disclosed a unauthenticated remote code execution (RCE) vulnerability in React Server Functions to Meta.

This vulnerability exists in all versions of React’s “Server Function” protocol released to date (React 19.0, 19.1, and 19.2.0). It allows an attacker to execute arbitrary code on a server that accepts and processes React Server Function requests. The following RSC implementations are known to be vulnerable:

  • All Next.js applications using App Router, on Next 15 or Next 16.
  • Applications using React Router RSC preview
  • Applications built with the Parcel RSC plugin
  • Applications built with the Vite RSC plugin

On December 2nd 2025, Deno implemented a runtime level mitigation for this vulnerability in Deno Deploy. Applications deployed to Deno Deploy are thus not vulnerable to this RCE exploit anymore. The mitigation has been applied to both the new Deno Deploy, Deno Deploy Classic, and Deno Deploy subhosting environments.

All other users must immediately upgrade their applications to any of the following patched versions of React or Next.js, that contain fixes for this vulnerability:

  • Next.js 16: update next to 16.0.7 or later.
  • Next.js 15: update next to 15.5.6 or later (and for older minors you can update to 15.4.6, 15.3.6, 15.2.6, or 15.1.9).
  • React Router, Parcel RSC, Vite RSC, Waku, and RedwoodSDK: update react-server-dom-webpack / react-server-dom-parcel / react-server-dom-turbopack to 19.2.1 or later (and for older minors you can update to 19.1.2 or 19.0.1).

If you are using Deno as your package manager, you can upgrade Next.js by running:

deno update next@latest

To upgrade the library that implements React Server Functions for React Router, Parcel RSC, or Vite RSC, Waku, or RedwoodSDK, run:

deno update react-server-dom-webpack@latest
# or
deno update react-server-dom-parcel@latest
# or
deno update react-server-dom-turbopack@latest

For users of Deno Deploy: although a runtime level mitigation has already been applied to all Deno Deploy applications automatically, we still recommend upgrading to the patched versions of Next.js / React as soon as possible, to ensure that your applications remain secure in other deployment environments.

Due to the nature of this vulnerability, we do not believe that a Web Application Firewall can fully mitigate this issue without false positives. Because of this, we have mitigated the risk for Deno Deploy users using a runtime-level mitigation instead. Nonetheless, we recommend to all users to upgrade to a patched version of the affected libraries for a more comprehensive mitigation. We will share more details about the runtime-level mitigation in a future blog post.

We thank the Meta Security Team and the Next.js team at Vercel for their collaboration in responsibly disclosing this vulnerability and coordinating the release of patches and mitigations. Additionally we thank Lachlan Davidson who found and reported this vulnerability for their responsible disclosure.

If you have any questions or need assistance, please reach out to us at deploy@deno.com.