This is not related to ”use server”. That’s used to mark Server Actions / Server Functions, and it is not necessarily used in files with Server Components.

It sounds related to me. The react.dev blog post [1] says that the vulnerability is

> a flaw in how React decodes payloads sent to React Server Function endpoints

and the react.dev docs for React Server Functions [2] say that

> Server Components can define Server Functions with the "use server" directive [...] Client Components can import Server Functions from files that use the "use server" directive

So it certainly sounds like the vulnerability is related to React Server Functions which are related to "use server".

[1] https://react.dev/blog/2025/12/03/critical-security-vulnerab...

[2] https://react.dev/reference/rsc/server-functions

No. You cannot find all vulnerable code by grepping for ”use server”, for instance.

So that’s your “it’s not related to use server” argument?

That seems like it could be a quote from their hardening guide.

I think the top-level comment was criticizing the entire feature (server functions) enabled by "use server". The vulnerability is in this feature, so (as I understand it) you're correct that grepping for "use server" won't find the vulnerable code, but if there was no such thing as "use server" the vulnerability wouldn't exist.

I'm sorry, but you're incorrect. That is genuinely how this CVE works. All (and only) code with "use server" was vulnerable.

The official blog post disagrees.

> Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.

Oops, yeah. My bad, you're right. It makes sense that any flight server that is capable of interpreting server functions would be vulnerable whether the codebase used them or not. It's an issue in the transport mechanism and not the actual RPC implementation.