zlacker

CVE 10.0 is bonkers for a project this widely used

>>AgentK+(OP)
React is widely used, react server components not so much.

>>rs_rs_+uh
Next.js is still pretty damn widely used.

>>AgentK+(OP)
The packages affected, like [1], literally say:

> Experimental React Flight bindings for DOM using Webpack.

> Use it at your own risk.

311,955 weekly downloads though :-|

[1]: https://www.npmjs.com/package/react-server-dom-webpack

>>nine_k+co
That number is misleadingly low, because it doesn't include Next.js which bundles the dependency. Almost all usage in the wild will be Next.js, plus a few using the experimental React Router support.

>>AgentK+(OP)
The subjects of theses types of posts should report the CVSS severity as 10.0 so the PR speak can't simply deflect to what needs to be done.

>>ascorb+5s
As far as I'm aware, transitive dependencies are counted in this number. So when you npm install next.js, the download count for everything in its dependency tree gets incremented.

Beyond that, I think there is good reason to believe that the number is inflated due to automated downloads from things like CI pipelines, where hundreds or thousands of downloads might only represent a single instance in the wild.

>>root_a+GP
It's not a transitive dependency, it's just literally bundled into nextjs, I'm guessing to avoid issues with fragile builds.

>>root_a+GP
why is it not normal for CI pipelines to cache these things? its a huge waste of compute and network.

>>swyx+571
It's certainly not uncommon to cache deps in CI. But at least at some point CircleCI was so slow at saving+restoring cache that it was actually faster to just download all the deps. Generally speaking for small/medium projects installing all deps is very fast and bandwidth is basically free, so it's natural many projects don't cache any of it.

>>j45+UB
A CVSS score of 10.0 may be warranted in this case, but so many other CVSS scores are wildly inflated, that the scores don't mean a lot.

>>WatchD+yv1
Regardless it can still provide some context and adjustment cs none.

The above could be seen as spin too, how could cvss be more accurate so you’d feel better?

>>swyx+571
These often do get cached at CDNs inside of the consuming data centers. Even the ISP will cache these kind of things too.

>>j45+UB
Unfortunately, CVSS scores are gamified hard. Companies pay more money in bug bounty programs, so there's an incentive for bug bounty hunters to talk up the impact of their discovery. Especially the CVSS v3 calculation can produce some unexpected super high or super low scores.

While scores are a good way to bring this stuff to people's attention, I wouldn't use them to enforce business processes. There's a good chance your code isn't even affected by this CVE even if your security scanners all go full red alert on this bug.

>>jeroen+0T2
It’s possible to create a scoring system based on actual root cause analysis and impact scores.

Surprised there isn’t more talk about a solution like this or something and more downplaying CVSS.

Downplaying CVSS alone can smell a little like PR talk even however unintentional.