zlacker

[return to "RCE Vulnerability in React and Next.js"]
1. AgentK+V[view] [source] 2025-12-03 16:04:20
>>rayhaa+(OP)
CVE 10.0 is bonkers for a project this widely used
◧◩
2. nine_k+7p[view] [source] 2025-12-03 17:49:44
>>AgentK+V
The packages affected, like [1], literally say:

> Experimental React Flight bindings for DOM using Webpack.

> Use it at your own risk.

311,955 weekly downloads though :-|

[1]: https://www.npmjs.com/package/react-server-dom-webpack

◧◩◪
3. ascorb+0t[view] [source] 2025-12-03 18:08:10
>>nine_k+7p
That number is misleadingly low, because it doesn't include Next.js which bundles the dependency. Almost all usage in the wild will be Next.js, plus a few using the experimental React Router support.
◧◩◪◨
4. root_a+BQ[view] [source] 2025-12-03 20:02:44
>>ascorb+0t
As far as I'm aware, transitive dependencies are counted in this number. So when you npm install next.js, the download count for everything in its dependency tree gets incremented.

Beyond that, I think there is good reason to believe that the number is inflated due to automated downloads from things like CI pipelines, where hundreds or thousands of downloads might only represent a single instance in the wild.

◧◩◪◨⬒
5. swyx+081[view] [source] 2025-12-03 21:25:58
>>root_a+BQ
why is it not normal for CI pipelines to cache these things? its a huge waste of compute and network.
◧◩◪◨⬒⬓
6. odie55+u62[view] [source] 2025-12-04 05:30:20
>>swyx+081
These often do get cached at CDNs inside of the consuming data centers. Even the ISP will cache these kind of things too.
[go to top]