zlacker

>>rayhaa+(OP)
This is genuinely embarrassing for the Next.js and React teams. They were warned for years that their approach to server-client communication had risks, derided and ignored everyone who didn't provide unconditional praise, and now this.

I think their time as Javascript thought leaders is past due.

>>samdoe+3R
Curious, not critical: got links to the warnings that were given about this approach over the years?

I’m interested in learning more about the history here.

>>zbentl+cF4
Not really, I didn't keep receipts. This stuff was discussed heavily on X a couple years ago when they were first launched and a lot of people questioned the wisdom of implicit RPC and blurring the lines between client/server, and the increasing complexity of React. I'm sure there were some articles written as well.

I believe one of the React email services got pwned because they leaked sensitive info via RSC, and there was a whole fiasco around Next.js encrypting server secrets and sending them to the client.

Lo and behold just a couple years later, a lvl 10 RCE because of the complexity of their RPC approach coupled with the blurring of the lines between client/server...it's not like it's surprising to us. A repro of the vulnerability is on X & Github if you want to search for it, it's a classic deserialization bug that only exists because their format is so complex (and powerful).

Remember a lot of us use React as a UI library and to see it causing our servers to get pwned is what people were uneasy about when they announced RSC.

Unfortunately much of this discussion is on X which makes it hard to find, especially because I think Dan Abromov deleted his X account.