NextJS was just bog standard “we designed an insecure API and now everyone can do RCE” though.

Everyone has been able to exploit that for ages. It only became a problem when it was discovered and publicised.