The vulnerability is a prototype pollution issue in the requireModule function within Next.js's compiled React Server DOM packages. The function did not properly check if a requested module property was its own, allowing access to properties on the Object prototype. An attacker could exploit this to inject malicious properties and achieve remote code execution. The patch addresses this by introducing a hasOwnProperty check, ensuring that only direct properties of the module can be accessed. The analysis identified all occurrences of the vulnerable requireModule function across different environments (browser, edge, node) and build types (development, production) in both react-server-dom-turbopack and react-server-dom-webpack packages, confirming the widespread nature of the vulnerability within the framework's rendering pipeline.