zlacker

>>jakels+(OP)
So this is part of the "React2Shell" CVE-2025-55182 issue? I find it interesting that this seems to get so little publicity. Almost like the issue is normal or expected. And it looks like the affected versions go back a little over a year. So if you've deployed anything with Next.js over the last 12 months your web app is now probably part of a million node bot net. And everyone's advice is just "use docker" or "install a firewall".

I'm not even sure what to say, or think, or even how to feel about the frontend ecosystem at this point. I've been debating on leaving the whole "web app" ecosystem as my main employment ventures and applying to some places requiring C++. C++ seems much easier to understand than what ever the latest frontend fad is. /rant

>>esaym+WX
I'm hearing about it like crazy because I deployed around 100 Next frontends in that time period. I didn't use server components though so I'm not affected.

>>h33t-l+P71
My understanding of the issue is that even if you don't use server components, you're still vulnerable.

Unless you're running a static html export - eg: not running the nextjs server, but serving through nginx or similar

>>mnahki+381
Yeah, crucially it says

> If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.

https://react.dev/blog/2025/12/03/critical-security-vulnerab...

So if you have a backend that supports RSC, even if you don't use it, you can still be vulnerable.

GP said they only shipped front ends but that can mean a lot.

Edit:link