zlacker

These wiz.io blog posts should be banned from HN; AFAICT, they're AI generated. Here's the original post with the details: https://react.dev/blog/2025/12/03/critical-security-vulnerab... - the vulnerability was not found by a Wiz employee at all, and the Wiz article (unlike the react.dev article) does not provide any meaningful technical information.

The important part to know:

- Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.

- The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack

- Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.

>>mmsc+(OP)
>AFAICT, they're AI generated.

What is the "tell"? I'm not saying they are or aren't, but... people say this about literally everything now and it's typically some flimsy reasoning like "they used a bullet point". I don't see anything in particular that makes me think ai over a standard template some junior fills out.

>the vulnerability was not found by a Wiz employee at all

I've re-read the Wiz article a few times. Maybe I'm just dumb, but where did Wiz claim to have found this vulnerability?

>>mmsc+(OP)
Hey mmsc, first of all - the blogs are not AI Generated!

Second of all, the blog did add more information

"In our experimentation, exploitation of this vulnerability had high fidelity, with a near 100% success rate and can be leveraged to a full remote code execution. The attack vector is unauthenticated and remote, requiring only a specially crafted HTTP request to the target server. It affects the default configuration of popular frameworks. "

In the end - if it helped spreading the news about this risk so teams can fix them faster, then this is our end-goal with these blog posts : )

>>mmsc+(OP)
There is some value:

> The vulnerability exists in the default configuration of affected applications

Can be inferred from the react blog but isn't really explicit

> According to Wiz data, 39% of cloud environments have instances vulnerable to CVE-2025-55182 and/or CVE-2025-66478.

Numbers!

>>mmsc+(OP)
Hey, researcher from Wiz here - we definitely didn't discover these vulns and all the credit goes to Lachlan Davidson. We have been investigating these vulns throughout the day and decided not to disclose the full extent of our conclusions or release a working exploit until more people get a chance to patch this (and as I mentioned in another comment, exploitation works out-of-the-box so you definitely should patch ASAP).

>>jfindp+u3
the tl;dr definitely came out of an llm

presentation and formatting aside the constant attempts to manufacture legitimacy and signal urgency are a classic tell. everything is "near-100%" reliable, urgent, critical, reproducible, catastrophic. siren emoji

>>jfindp+u3
Hackernews' submission guidelines clearly state: "Please submit the original source. If a post reports on something found on another site, submit the latter." [0]

The Wiz post has significantly changed since it was first published (and how it looked when first posted to HN), FYI -- see [1]. When it was published, it was a summary of the React announcement, and was somehow longer than the original and yet provided less useful information than the original.

In any case, the "tell" is the syntactic structure (as Chomsky would say) and certain phrases used in the post.

[0]: https://news.ycombinator.com/newsguidelines.html

[1]: https://web.archive.org/web/20251203162416/https://www.wiz.i...

>>intern+A4
>> According to Wiz data, 39% of cloud environments have instances vulnerable to CVE-2025-55182 and/or CVE-2025-66478.

> Numbers!

I do not see how such numbers are valuable to people reading this post, as the first indication of the existence of this vulnerability.

>>tenseg+48
The authors have said it isn't.

I can't believe saying a security vulnerability is "reproducible", "critical", etc. is a "classic tell of ai".

I've used "reproducible" and "critical" in my deliverables since well before ai was a thing.

>>jfindp+c9
Is it so important ? It's a mix of AI and human-written. It's normal nowadays and perfectly acceptable.

+ it is maybe 10% AI max, which seems to be for the structure / readability, and there is legit information under.

>>mmsc+(OP)
I can't even read the Wiz post, it just plays an unrelated full screen video at me after flickering a couple of times.

>>rvnx+zb
>Because author says it, it doesn't mean that it is true.

And because random HNer says it is ai doesn't mean it is ai.

>But still, is it so important?

Not to me, no. If the information is useful/entertaining/etc., I don't really care. But having to read "it's ai!" comments on literally every article/blog posted for the next 10 years is going to be super annoying. Especially if the reasoning provided is "they used the word critical". At least you pointed to something kind of interesting with the quotation marks (although, certainly not definitive of anything), rather than saying some extremely common word = ai.

>>rvnx+zb
So smart quotes is now an LLM tell? You know that a lot of people write in word processors that automatically replace standard quotes with smart quotes (like, say, MS Word), and that these word processors can then export HTML straight into your block or preserve the smart quotes across a copy & paste? Several blog WYSIWYG editors will also directly insert them as well.

>>jfindp+Cc
Absolutely, anyway you'll have critical judgment to make your own opinion.

What bothers me about the Wiz post is why they want to hide this HTTP request is actually not helpful in terms of security.

On the plus side, they help getting the word out there, so at least something.

>>nostra+ad
I think what they're saying is that having both in a document is the tell.

>>jfindp+u3
When I saw "WIZ Research - Critical Vulnerabilities in React and Next.js" on the big image banner, I immediately thought that Wiz found the vulnerability.

>>rvnx+zb
Yeah it's important, it degrades trust in the reader if you use AI without disclosing or ensuring them the document was proofread.

Same way if you read an article full of typos you lose trust in it. Those tells of AI voice undermine the author and make the reader suspicious

>>karimf+Vh
When Reuters has an article that says "Reuters Business - Interest rates going up", do you think Reuters made the interest rates go up themselves or that they are reporting on the interest rates?

>>Nitpic+gf
The document doesn't have both in it. It's possible it was edited, but someone else in the thread posted the archive.org original version, and it also doesn't have smart quotes:

https://web.archive.org/web/20251203162416/https://www.wiz.i...

(Note also that you can end up with mismatched quotes if you paste in a segment of text from some other source that uses them, which is pretty common in journalism for a fast-changing story.)

>>nostra+rm
https://archive.md/2025.12.03-165833/https://www.wiz.io/blog...

Mismatched smart quotes are visible in this archive.

>>aprilt+rj
>Same way if you read an article full of typos you lose trust in it

Not for long! This seems like this will soon be the only way to put something on the internet without people rabidly saying its ai (at least for a few weeks, until people start prompting for typos to be included).

>>jfindp+bm
Reuters isn’t a bank. Wiz is a security company so they have a greater responsibility to distinguish between their own original work and discoveries made by other researchers.

>>acdha+FD
They do that by saying "we discovered this" when they discover it.