A critical Remote Code Execution (RCE) vulnerability has been found in React Server Functions and Next.js. Deno has implemented mitigations in Deno Deploy. Immediate upgrades are required for other users.

Deno's official blog provides updates, tutorials, and use cases for Deno, a secure JavaScript/TypeScript runtime. Developers can explore Deno's features, security model, and ecosystem integrations, gaining insights into modern JavaScript development practices. With contributions from Deno core contributors and community members, the blog offers resources for developers adopting Deno for their projects.

Deno

A critical Remote Code Execution vulnerability has been discovered in React Server Functions affecting React 19.x and Next.js 15/16 applications using App Router. The vulnerability allows attackers to execute arbitrary code on servers processing React Server Function requests. Deno Deploy has implemented runtime-level mitigations to protect users automatically, but immediate upgrades to patched versions (Next.js 16.0.7+, 15.5.6+, or React 19.2.1+) are required for all other deployments. Web Application Firewalls cannot fully mitigate this issue without false positives.

React Server Functions / Next.js Vulnerability: Deno Deploy users protected