It seems like this might be one of the biggest vulnerabilities in recent times...
The default react / nextjs configurations being vulnerable to RCE is pretty insane. I think platform level protections from Vercel / Cloudflare are very much showing their utility now!