zlacker

[return to "Critical RCE Vulnerabilities in React and Next.js"]
1. mmsc+p6[view] [source] 2025-12-03 16:30:37
>>gonepi+(OP)
These wiz.io blog posts should be banned from HN; AFAICT, they're AI generated. Here's the original post with the details: https://react.dev/blog/2025/12/03/critical-security-vulnerab... - the vulnerability was not found by a Wiz employee at all, and the Wiz article (unlike the react.dev article) does not provide any meaningful technical information.

The important part to know:

- Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.

- The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack

- Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.

◧◩
2. jfindp+T9[view] [source] 2025-12-03 16:45:55
>>mmsc+p6
>AFAICT, they're AI generated.

What is the "tell"? I'm not saying they are or aren't, but... people say this about literally everything now and it's typically some flimsy reasoning like "they used a bullet point". I don't see anything in particular that makes me think ai over a standard template some junior fills out.

>the vulnerability was not found by a Wiz employee at all

I've re-read the Wiz article a few times. Maybe I'm just dumb, but where did Wiz claim to have found this vulnerability?

◧◩◪
3. tenseg+te[view] [source] 2025-12-03 17:04:16
>>jfindp+T9
the tl;dr definitely came out of an llm

presentation and formatting aside the constant attempts to manufacture legitimacy and signal urgency are a classic tell. everything is "near-100%" reliable, urgent, critical, reproducible, catastrophic. siren emoji

◧◩◪◨
4. jfindp+Bf[view] [source] 2025-12-03 17:09:28
>>tenseg+te
The authors have said it isn't.

I can't believe saying a security vulnerability is "reproducible", "critical", etc. is a "classic tell of ai".

I've used "reproducible" and "critical" in my deliverables since well before ai was a thing.

◧◩◪◨⬒
5. rvnx+Yh[view] [source] 2025-12-03 17:20:09
>>jfindp+Bf
Is it so important ? It's a mix of AI and human-written. It's normal nowadays and perfectly acceptable.

+ it is maybe 10% AI max, which seems to be for the structure / readability, and there is legit information under.

◧◩◪◨⬒⬓
6. jfindp+1j[view] [source] 2025-12-03 17:24:26
>>rvnx+Yh
>Because author says it, it doesn't mean that it is true.

And because random HNer says it is ai doesn't mean it is ai.

>But still, is it so important?

Not to me, no. If the information is useful/entertaining/etc., I don't really care. But having to read "it's ai!" comments on literally every article/blog posted for the next 10 years is going to be super annoying. Especially if the reasoning provided is "they used the word critical". At least you pointed to something kind of interesting with the quotation marks (although, certainly not definitive of anything), rather than saying some extremely common word = ai.

◧◩◪◨⬒⬓⬔
7. rvnx+Xj[view] [source] 2025-12-03 17:28:16
>>jfindp+1j
Absolutely, anyway you'll have critical judgment to make your own opinion.

What bothers me about the Wiz post is why they want to hide this HTTP request is actually not helpful in terms of security.

On the plus side, they help getting the word out there, so at least something.

[go to top]