My understanding of the issue is that even if you don't use server components, you're still vulnerable.
Unless you're running a static html export - eg: not running the nextjs server, but serving through nginx or similar
My understanding of the issue is that even if you don't use server components, you're still vulnerable.
Unless you're running a static html export - eg: not running the nextjs server, but serving through nginx or similar
Yeah, crucially it says
> If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.
https://react.dev/blog/2025/12/03/critical-security-vulnerab...
So if you have a backend that supports RSC, even if you don't use it, you can still be vulnerable.
GP said they only shipped front ends but that can mean a lot.
Edit:link
They might be referring to another Vercel vulnerability that allowed anyone to bypass their auth with relative ease due to poor engineering practices:
https://nvd.nist.gov/vuln/detail/CVE-2025-29927
That plus the most recent react one, and you have a culture that does not care for their customers but rather chasing fads to help greedy careers.