NextJS's new major vulnerability

A vulnerability in NextJS Server Components allows remote code execution on any server running NextJS.

Better Stack has a really good video on this; you should check it out here:

https://www.youtube.com/watch?v=iV48tEiHFDY

Basically, malicious parties can inject code into the server actions that can grab credentials, make queries to the DB to steal your data, or even be used to turn your servers into vectors of attack for a massive DDoS.

If you are running NextJS / React, it's time to start updating to the latest versions.