<p>For years the advice was simple: validate input, escape output, patch your dependencies. Then a deserialization flaw in the React Server Components protocol turned an unauthenticated HTTP request into remote code execution across an entire generation of Next.js applications.</p>
<h2>Why It Mattered</h2>
<p>The vulnerability did not live in anyone's business logic. It lived in the <strong>framework's wire protocol</strong> — the thing every App Router app trusts implicitly. A crafted request walked an object reference into a server-side gadget chain. No credentials, no user interaction, no exotic preconditions.</p>
<blockquote>
<p>"You cannot out-validate a bug in the layer doing the validating."</p>
</blockquote>
<h2>What We Tell Clients</h2>
<ul>
<li><strong>Inventory your framework versions like they are dependencies — because they are.</strong> A version banner in a JavaScript bundle is an asset, and an attacker's first query.</li>
<li><strong>Patch latency is exposure.</strong> Mass exploitation of this class began within days of disclosure.</li>
<li><strong>Rotate secrets after patching.</strong> If the app was reachable while vulnerable, assume the environment was readable.</li>
</ul>
<p>Cryptex Labs tracks framework-level advisories against client estates and validates exposure with non-destructive checks — so the answer to "are we affected?" is evidence, not a guess.</p>


React2Shell: When the Framework Is the Attack Surface

Why It Mattered

What We Tell Clients