React & Next.js

Using React's dangerouslySetInnerHTML with unsanitized user input allows attackers to inject malicious scripts that execute in other users' browsers.

Storing JWT tokens, session tokens, or API keys in localStorage makes them accessible to any JavaScript running on the page, including XSS payloads.

Next.js page props passed through getServerSideProps or getStaticProps leak sensitive data like API keys, database URLs, or internal configuration via the __NEXT_DATA__ script tag.

JavaScript source map files (.map) are publicly accessible in production, revealing the complete original source code including comments, variable names, and internal logic.

Next.js API routes configured with Access-Control-Allow-Origin: * allow any website to make authenticated cross-origin requests, enabling CSRF-like attacks.

Server Actions called from malicious third-party sites without origin validation, letting attackers trigger state-changing requests on behalf of logged-in users.

A critical vulnerability in Next.js versions before 15.2.3 allows attackers to bypass middleware-based auth checks entirely by sending a crafted internal header.