zlacker

[return to "Critical RCE Vulnerabilities in React and Next.js"]
1. mmsc+p6[view] [source] 2025-12-03 16:30:37
>>gonepi+(OP)
These wiz.io blog posts should be banned from HN; AFAICT, they're AI generated. Here's the original post with the details: https://react.dev/blog/2025/12/03/critical-security-vulnerab... - the vulnerability was not found by a Wiz employee at all, and the Wiz article (unlike the react.dev article) does not provide any meaningful technical information.

The important part to know:

- Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.

- The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack

- Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.

◧◩
2. gonepi+ab[view] [source] 2025-12-03 16:51:32
>>mmsc+p6
Hey, researcher from Wiz here - we definitely didn't discover these vulns and all the credit goes to Lachlan Davidson. We have been investigating these vulns throughout the day and decided not to disclose the full extent of our conclusions or release a working exploit until more people get a chance to patch this (and as I mentioned in another comment, exploitation works out-of-the-box so you definitely should patch ASAP).
[go to top]