zlacker

[return to "RCE Vulnerability in React and Next.js"]
1. AgentK+V[view] [source] 2025-12-03 16:04:20
>>rayhaa+(OP)
CVE 10.0 is bonkers for a project this widely used
◧◩
2. nine_k+7p[view] [source] 2025-12-03 17:49:44
>>AgentK+V
The packages affected, like [1], literally say:

> Experimental React Flight bindings for DOM using Webpack.

> Use it at your own risk.

311,955 weekly downloads though :-|

[1]: https://www.npmjs.com/package/react-server-dom-webpack

◧◩◪
3. ascorb+0t[view] [source] 2025-12-03 18:08:10
>>nine_k+7p
That number is misleadingly low, because it doesn't include Next.js which bundles the dependency. Almost all usage in the wild will be Next.js, plus a few using the experimental React Router support.
◧◩◪◨
4. root_a+BQ[view] [source] 2025-12-03 20:02:44
>>ascorb+0t
As far as I'm aware, transitive dependencies are counted in this number. So when you npm install next.js, the download count for everything in its dependency tree gets incremented.

Beyond that, I think there is good reason to believe that the number is inflated due to automated downloads from things like CI pipelines, where hundreds or thousands of downloads might only represent a single instance in the wild.

◧◩◪◨⬒
5. korm+OU[view] [source] 2025-12-03 20:20:12
>>root_a+BQ
It's not a transitive dependency, it's just literally bundled into nextjs, I'm guessing to avoid issues with fragile builds.
[go to top]