zlacker

[return to "Critical RCE Vulnerabilities in React and Next.js"]
1. mmsc+p6[view] [source] 2025-12-03 16:30:37
>>gonepi+(OP)
These wiz.io blog posts should be banned from HN; AFAICT, they're AI generated. Here's the original post with the details: https://react.dev/blog/2025/12/03/critical-security-vulnerab... - the vulnerability was not found by a Wiz employee at all, and the Wiz article (unlike the react.dev article) does not provide any meaningful technical information.

The important part to know:

- Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.

- The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack

- Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.

◧◩
2. galnag+7a[view] [source] 2025-12-03 16:47:09
>>mmsc+p6
Hey mmsc, first of all - the blogs are not AI Generated!

Second of all, the blog did add more information

"In our experimentation, exploitation of this vulnerability had high fidelity, with a near 100% success rate and can be leveraged to a full remote code execution. The attack vector is unauthenticated and remote, requiring only a specially crafted HTTP request to the target server. It affects the default configuration of popular frameworks. "

In the end - if it helped spreading the news about this risk so teams can fix them faster, then this is our end-goal with these blog posts : )

[go to top]