Next.js Vulnerabilities: Protecting Your App from RSC & Middleware Exploits

Anatomy of 'React2Shell' (RCE)

The Flight Protocol used by Next.js to stream React Server Components is essentially a custom serialization format. Attackers discovered that by sending a specially crafted `__next_f` data stream, they could take advantage of an insecure recursive deserializer in the React runtime.

By injecting a `Proto` or a specific constructor chain into the stream, an attacker could trigger **arbitrary object assignment** leading to Remote Code Execution (RCE). This meant that an unauthenticated HTTP POST request could theoretically spawn a shell on your production VPC.

The Middleware Subrequest Bypass

This was perhaps even more dangerous. Next.js uses an internal header, x-middleware-subrequest, to flag when a request has already passed through the edge and is being routed internally.

The bug (CVE-2025-29927) allowed attackers to manually inject this header from the public internet. If your middleware logic assumed that any request with this header was \"already pre-cleared,\" the attacker could bypass your entire authentication layer and access `/admin` or `/api/internal` endpoints directly.

Remediation for Developers

1. Upgrade immediately: Next.js 16.2 and 15.2.3 contain hard-baked header stripping for internal identifiers at the edge.
2. Defense in Depth: Never trust the `middleware.ts` as your only gatekeeper. Always implement verifySession() inside your Server Actions or individual Page layouts.
3. Content Security Policy: Use a strict CSP that prevents unauthorized data-injection into the Flight stream.