"Your AI Wants You to Build with React. The 2026 CVE Record Says Maybe Don't."
Between December 2025 and May 2026, the React Server Components (RSC) protocol shipped at least seven CVEs — including one CVSS 10.0 pre-auth RCE (CVE-2025-55182, “React2Shell”). In the same window: Svelte issued five CVEs, Astro shipped one SSRF, Vue had zero meaningful runtime CVEs. Your AI coding assistant still recommends React. That gap is a decision you should be making consciously.
Introduction
Open a fresh terminal. Ask Cursor, Claude Code, GitHub Copilot, or ChatGPT to “build me a SaaS dashboard.” Watch what happens.
Within three messages, you’ll have npx create-next-app. The AI didn’t ask about your team’s expertise, your performance budget, your hosting, or your threat model. React is the default. Next.js is the spice. React Server Components are the assumed architecture.
In late 2025 and early 2026, that default got a lot more expensive. The Flight protocol that powers React Server Components — the thing your AI is autocompleting onto your production server — has been the source of one of the worst back-to-back CVE runs in modern framework history.
This post isn’t anti-React. React still wins on ecosystem, hiring, and React Native. The question is narrower: when your AI hands you 'use server' by default, do you know what surface area you’re signing up for?
The Six-Month Receipts
Here is the chronology, with severities and CVE IDs that anyone can verify:
| Date | CVE | Component | Severity | What it was |
|---|---|---|---|---|
| Dec 3, 2025 | CVE-2025-55182 | RSC Flight protocol | CVSS 10.0 | “React2Shell” — pre-auth RCE via deserialised Server Function input |
| Dec 11, 2025 | CVE-2025-55183 | RSC | Medium | Source code exposure — leaks Server Function source incl. secrets |
| Dec 11, 2025 | CVE-2025-55184 | RSC | High | Denial of service |
| Dec 11, 2025 | CVE-2025-67779 | RSC | High | Denial of service |
| Dec 12, 2025 | CVE-2025-66478 | Next.js | High | Exploit chain leveraging the December RSC issues |
| Jan 26, 2026 | CVE-2026-23864 | RSC | CVSS 7.5 | DoS via crafted Server Function requests |
| May 7, 2026 | CVE-2026-23870 | RSC Flight | High | DoS via crafted POST → excessive CPU |
| May 7, 2026 | CVE-2026-44579 | Next.js Cache Components | High | Request-body deadlock on Partial Prerendering apps |
| May 7, 2026 | + 10 more | Next.js | Various | Middleware/proxy bypass, XSS, SSRF, cache poisoning |
The May 2026 batch alone: thirteen advisories patched in a single release (Next.js 16.2.6 / 15.5.18). React Server Components were named in CVE-2026-23870 specifically. The Vercel team disclosed twelve of them at once, which is the polite way of saying “we found a hole, then found that hole had friends.”
Why does it keep happening? The RSC Flight protocol does what Java RMI did in the 90s: it serialises live objects across a network boundary and reanimates them on the other side. That’s an inherently dangerous primitive, and the historical CVE record for every framework that’s ever tried it (Java, Rails Marshal, PHP unserialize) backs that up.
What Other Frameworks Shipped in the Same Window
Holding the same time window — Dec 2025 to May 2026 — here is what the rest of the field looked like.
Svelte / SvelteKit: Five CVEs as a cohort, including CVE-2026-22774, 22775, 22803 (SSR XSS via spread attributes), and CVE-2025-67647. None of them touched a serialisation protocol. The Svelte team explicitly published a roundup post explaining each one — a useful pattern other frameworks could copy.
Astro: One notable CVE — CVE-2026-27829, an SSRF in the inferSize image helper. Patch landed in 6.1.6. Astro’s static-first model doesn’t ship a serialisation runtime to begin with, so the RSC class of bug simply doesn’t exist for it.
Vue (core): Zero meaningful runtime CVEs in 2026 to date. The Vue framework itself remains conservative about adding network primitives; the equivalent of RSC (Nuxt server functions) is not the same protocol surface.
Solid / Qwik: Zero published CVEs in this window. (Smaller surface, smaller blast radius — though also smaller deploy footprint, so this is partly survivor bias.)
Angular: One XSS-class advisory (CVE-2026-32635). Patched cleanly. No protocol-level issues.
The pattern isn’t subtle. Every framework has CVEs. Only one keeps shipping CVEs in the same architectural component, six months running.
Why Your AI Doesn’t Know This
Coding assistants don’t have a security taste. They have a training distribution. And the training distribution for “how do I build a modern web app” is:
- 2018-2024 React tutorials
- The Next.js docs (extensively)
- StackOverflow answers from when RSC was new and exciting
- Open-source repos that disproportionately use Next.js
When you ask an LLM to scaffold a project, it’s pattern-matching against that corpus. It doesn’t know that the Flight protocol has been a serial offender. It doesn’t know that you’re going to deploy to a public-facing Vercel domain where every Server Function endpoint is reachable. It doesn’t weight CVE history against the question “what should I use.”
This is fine for a hobby project. It’s increasingly not fine for production.
Anthropic, OpenAI, and Cursor are all working on this — security-aware code generation is an active research area. But until the model weights catch up, you are the one who has to override the autocomplete.
When React Is Still Right
Let’s be clear about where React still wins, because this post would be intellectually dishonest otherwise:
- You’re hiring at scale. There are 10× more React devs available than Svelte devs. If your team will be 50 engineers by EOY, hiring trumps CVE count.
- You need React Native or React Three Fiber. No competitor framework gets you cross-platform mobile + web from one paradigm.
- You’re already on React. Migration cost is real. A team productive in React shouldn’t rewrite to chase a security trendline that may stabilise.
- You don’t use Server Components. If your React app is purely client-side or uses the Pages Router without Server Functions, none of the RSC CVEs above touch you. Read the advisory text carefully — most have the line “If your app’s React code does not use a server, your app is not affected.”
That last point is the cleanest escape hatch. The RSC CVE pile is specifically about RSC. Plain React + a separate API server has roughly the same risk profile as Vue + the same API server.
When To Push Back on Your AI
Your AI hands you create-next-app with App Router enabled. Pause. Ask yourself:
- Will this app ever face the public internet? If yes, every Server Function endpoint is part of your attack surface.
- Is the content static or near-static? Marketing sites, blogs, docs, product pages — Astro and SvelteKit get you better Web Vitals and a smaller CVE corpus.
- Is the interactive surface small? A landing page with a contact form does not need RSC. Astro islands + a Svelte form component is one CVE class smaller.
- Do you have a security review pipeline? If you don’t have automated dependency scanning + a weekly upgrade discipline, you should not be picking the framework that ships the most CVEs.
- What does your hosting do for you? Vercel and Cloudflare both shipped WAF rules for the May 2026 advisories within hours. Self-hosting Next.js means you eat that mitigation yourself.
If you answered “Vercel, dynamic SaaS, large React team, weekly upgrades” — go ahead and use Next.js. The risk is managed.
If you answered “static-ish, small team, no security pipeline, self-hosting” — your AI is steering you toward maintenance pain you don’t have the bandwidth for. Push back.
The Quiet Cost: Patch Velocity
There’s a second-order effect nobody talks about. Every CVE patch is a forced production deploy.
Between January and May 2026, a Next.js shop has shipped:
- One emergency RSC patch (Jan 26)
- One emergency Next.js patch (Feb, downstream of RSC)
- One thirteen-CVE batch (May 7)
- Several follow-up patches on minor versions
For a small team with no dedicated security engineer, that’s roughly one urgent upgrade per six weeks — each requiring regression testing, staging verification, and a coordinated deploy.
In the same window, an Astro shop has shipped maybe one urgent upgrade. A Svelte shop, two.
This is not theoretical. Patch fatigue is the slow-motion version of an outage: your team stops upgrading on time, drift accumulates, then a CVE drops and you can’t ship the fix without three weeks of refactoring.
The Verdict
This isn’t “abandon React.” React is fine. Plain React is safer than Next.js in 2026, because plain React doesn’t include the Flight protocol. Vue, Astro, SvelteKit, Solid, and Qwik are all currently shipping fewer CVEs in absolute and per-feature terms than the React + Next.js stack.
The actionable rule:
- Default-suggested code from an AI is not a default decision. It’s a starting point you need to evaluate against your own constraints — including security.
- For greenfield, content-led work, Astro or SvelteKit gives you better Web Vitals and a smaller CVE blast radius. The performance data backs this up; the security data now does too.
- For SaaS with real backends, plain React + your own API is safer than Next.js App Router + Server Functions if you can’t keep up with the patch cadence.
- If you must use Next.js, set up
npm auditin CI, subscribe to the Vercel security feed, and budget a security maintenance day every two weeks.
Your AI does not know your threat model. Your AI does not read your npm audit output. Your AI is not on-call when the next RSC CVE drops at 3am UTC on a Wednesday.
You are.
Pick accordingly.
Sources
- Critical Security Vulnerability in React Server Components — React blog (Dec 2025)
- Denial of Service and Source Code Exposure in React Server Components — React blog (Dec 2025)
- Microsoft Security Blog: Defending against CVE-2025-55182 (React2Shell)
- Akamai: CVE-2026-23864 React + Next.js DoS via Memory Exhaustion
- Vercel changelog: Summary of CVE-2026-23864
- Next.js May 2026 security release — Vercel
- GitHub advisory: GHSA-83fc-fqcc-2hmg — Denial of Service in RSC
- CVEs affecting the Svelte ecosystem — svelte.dev
- CVE-2026-27829: Astro Framework SSRF Vulnerability — SentinelOne
- Cloudflare: WAF mitigations for React and Next.js vulnerabilities
- Netlify: Next.js & React DoS vulnerability — what you need to know
Keep reading
Related articles
JavaScript Framework Performance Comparison - 2026 Benchmarks
Comprehensive JavaScript framework performance benchmarks 2026 - bundle size, CO₂ emissions, Core Web Vitals, and what the data really means for your users.
Choosing a Framework for Your Startup in 2026
Framework selection for startups in 2026 - balancing speed to market, hiring constraints, technical debt, and scalability. Which framework helps you win?