>>rayhaa+(OP)
there can be no React RCE. if it is on the frontend, it is a browser RCE. if it is on the backend, then, as in this case it is a Next.js RCE.
>>z3ratu+682
The Next.js server runs React modules. While one may argue that Next.js shouldn't bundle vulnerable dependencies, React does have modules for server-side runtimes these days and should be accountable.