The important part to know:
- Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.
- The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack
- Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.
What is the "tell"? I'm not saying they are or aren't, but... people say this about literally everything now and it's typically some flimsy reasoning like "they used a bullet point". I don't see anything in particular that makes me think ai over a standard template some junior fills out.
>the vulnerability was not found by a Wiz employee at all
I've re-read the Wiz article a few times. Maybe I'm just dumb, but where did Wiz claim to have found this vulnerability?
presentation and formatting aside the constant attempts to manufacture legitimacy and signal urgency are a classic tell. everything is "near-100%" reliable, urgent, critical, reproducible, catastrophic. siren emoji
I can't believe saying a security vulnerability is "reproducible", "critical", etc. is a "classic tell of ai".
I've used "reproducible" and "critical" in my deliverables since well before ai was a thing.
+ it is maybe 10% AI max, which seems to be for the structure / readability, and there is legit information under.
Same way if you read an article full of typos you lose trust in it. Those tells of AI voice undermine the author and make the reader suspicious
Not for long! This seems like this will soon be the only way to put something on the internet without people rabidly saying its ai (at least for a few weeks, until people start prompting for typos to be included).