zlacker

[return to "RCE Vulnerability in React and Next.js"]
1. AgentK+V[view] [source] 2025-12-03 16:04:20
>>rayhaa+(OP)
CVE 10.0 is bonkers for a project this widely used
◧◩
2. nine_k+7p[view] [source] 2025-12-03 17:49:44
>>AgentK+V
The packages affected, like [1], literally say:

> Experimental React Flight bindings for DOM using Webpack.

> Use it at your own risk.

311,955 weekly downloads though :-|

[1]: https://www.npmjs.com/package/react-server-dom-webpack

◧◩◪
3. ascorb+0t[view] [source] 2025-12-03 18:08:10
>>nine_k+7p
That number is misleadingly low, because it doesn't include Next.js which bundles the dependency. Almost all usage in the wild will be Next.js, plus a few using the experimental React Router support.
[go to top]