zlacker

[return to "RCE Vulnerability in React and Next.js"]
1. AgentK+V[view] [source] 2025-12-03 16:04:20
>>rayhaa+(OP)
CVE 10.0 is bonkers for a project this widely used
◧◩
2. nine_k+7p[view] [source] 2025-12-03 17:49:44
>>AgentK+V
The packages affected, like [1], literally say:

> Experimental React Flight bindings for DOM using Webpack.

> Use it at your own risk.

311,955 weekly downloads though :-|

[1]: https://www.npmjs.com/package/react-server-dom-webpack

◧◩◪
3. ascorb+0t[view] [source] 2025-12-03 18:08:10
>>nine_k+7p
That number is misleadingly low, because it doesn't include Next.js which bundles the dependency. Almost all usage in the wild will be Next.js, plus a few using the experimental React Router support.
◧◩◪◨
4. root_a+BQ[view] [source] 2025-12-03 20:02:44
>>ascorb+0t
As far as I'm aware, transitive dependencies are counted in this number. So when you npm install next.js, the download count for everything in its dependency tree gets incremented.

Beyond that, I think there is good reason to believe that the number is inflated due to automated downloads from things like CI pipelines, where hundreds or thousands of downloads might only represent a single instance in the wild.

◧◩◪◨⬒
5. swyx+081[view] [source] 2025-12-03 21:25:58
>>root_a+BQ
why is it not normal for CI pipelines to cache these things? its a huge waste of compute and network.
◧◩◪◨⬒⬓
6. FINDar+7g1[view] [source] 2025-12-03 22:06:58
>>swyx+081
It's certainly not uncommon to cache deps in CI. But at least at some point CircleCI was so slow at saving+restoring cache that it was actually faster to just download all the deps. Generally speaking for small/medium projects installing all deps is very fast and bandwidth is basically free, so it's natural many projects don't cache any of it.
[go to top]