[vinnymac]

The official blog post disagrees.

> Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.

[jazzypants]

Oops, yeah. My bad, you're right. It makes sense that any flight server that is capable of interpreting server functions would be vulnerable whether the codebase used them or not. It's an issue in the transport mechanism and not the actual RPC implementation.