Max-level security alert for vibe coders and builders

Last week's news but still ongoing. 39% of publicly exposed web apps may be affected, with vibe-coded apps at even higher risk because many rely on default framework setups.

A maximum-severity security flaw has been disclosed in React Server Components and Next.js that can allow unauthenticated attackers to gain full control of a vulnerable server via a single crafted request. In practical terms, this means potential access to your environment variables, secret keys, databases and backend logic.

If you have any public apps:

(1) check whether they use Next.js or any framework with server-side components,

(2) verify whether your version falls within the affected releases, and

(3) upgrade immediately to a patched version and redeploy.

Non-vibe-coded apps can be affected as well.

Edit: Hacker activity is massive now, to exploit this vulnerability. If your app has this door wide open, they WILL walk in freely.

Severity: 10.0 (Critical)

Impact: Full system compromise

Target: mass exploitation.

If you're not tech and have vibe-coded an app, read the comment below by

@Alya Naters

More info: I can't provide links because they're not allowed in this group, you can google up Security Advisory: CVE-2025-66478.