alt Hacker NewsMy understanding of the issue is that even if you don't use server components, you're still vulnerable.
Unless you're running a static html export - eg: not running the nextjs server, but serving through nginx or similar
My understanding of the issue is that even if you don't use server components, you're still vulnerable.
Unless you're running a static html export - eg: not running the nextjs server, but serving through nginx or similar
Yeah, crucially it says
> If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.
https://react.dev/blog/2025/12/03/critical-security-vulnerab...
So if you have a backend that supports RSC, even if you don't use it, you can still be vulnerable.
GP said they only shipped front ends but that can mean a lot.
Edit:link