We would like to inform our clients running React or Next.js applications about a recently observed issue that may cause abnormally high server resource usage, potentially leading to service instability or temporary downtime.

Key clarification:

There is NO server breach, NO unauthorized access, and NO compromise of server security.
The issue originates from application runtime behavior, not from the server infrastructure.

 What is the issue?

Under certain conditions—especially with:

• Next.js App Router / React Server Components

• Incorrect production configuration

• Running development mode on production servers

• Misconfigured systemd or PM2 restart policies

The application may spawn an excessive number of Node.js processes, resulting in:

• CPU usage spiking far beyond normal limits

• Thousands of active or zombie processes

• Build failures (e.g. spawn /usr/bin/node EAGAIN)

• Temporary service disruption

 Is this a security breach?

• ❌ No server-level security breach

• ❌ No data exposure

• ⚠️ Classified as an application-level resource exhaustion issue

• ✅ Addressed through dependency updates and proper runtime configuration

 Recommended actions (Application side)

1️⃣ Update dependencies

Ensure React and Next.js are updated to the latest stable versions and review official security advisories.

2️⃣ Do NOT run development mode in production

❌ Incorrect:

✅ Correct:

3️⃣ Limit worker processes

Before building or starting the application:

4️⃣ Review process managers

If using systemd or PM2:

• Avoid infinite restart loops

• Set reasonable restart limits

• Ensure failed builds do not auto-respawn endlessly

 What we have done on the server side

To maintain overall system stability, we have:

• Applied protective process and resource limits

• Prevented any single application from impacting the entire server

• Increased monitoring and early detection

These measures are preventive and do not affect application data or functionality.

 Will the issue return?

• ❌ No, if the application is properly updated and configured

• ⚠️ Yes, if outdated code or configurations are redeployed without fixes

 Need assistance?

Our support team is available to:

• Coordinate with your development team

• Review runtime configuration

• Assist during redeployment and rebuild

Please contact us via the ticket system for further support.

Best regards,
Technical Support Team

 Official References & Sources

• React – Official Security Advisory (React Server Components / RCE)

  • React Blog & GitHub Security Advisories

• Next.js – Security Updates

  • Next.js official repository – Security Advisories

  • Next.js Blog (Security & Stability updates)

• GitHub Advisory Database

  • Central database for known vulnerabilities in open-source packages

• Microsoft Security Research – React2Shell

  • Technical analysis of React Server Component vulnerabilities

Recommendation: Development teams should always rely on official framework advisories and avoid running development tooling on production servers.