zlacker

[return to "RCE Vulnerability in React and Next.js"]
1. ajross+La[view] [source] 2025-12-03 16:47:06
>>rayhaa+(OP)
The CVE says the that flaw is in React Server Components, which implies strongly that this is a RCE on the backend (!!), not the client.
◧◩
2. padjo+Hs[view] [source] 2025-12-03 18:06:23
>>ajross+La
Where else would it be? What would an RCE of the client even mean?
◧◩◪
3. ajross+k11[view] [source] 2025-12-03 20:51:06
>>padjo+Hs
The term is always ambiguous. But react is generally understood as a client library and client-side vulnerabilities are hardly a new thing. XSS exists as a whole subfield of study precisely because of the difficulty of keeping site code from getting fooled by malicious input.

Basically you're technically correct with your quip, but engaging in some pretty awful security analysis. IMHO most people reading this headline are not going to understand that they need to audit their server dependencies.

[go to top]