zlacker

[parent] [thread] 6 comments
1. sophie+(OP)[view] [source] 2025-12-03 19:48:01
The endpoint is not whatever the client asks for. It's marked specifically as exposed to the user with "use server". Of course the people who designed this recognize that this is designing an RPC system.

A similar bug could be introduced in the implementation of other RPC systems too. It's not entirely specific to this design.

(I contribute to React but not really on RSC.)

replies(2): >>clucki+pm >>brown9+gp
2. clucki+pm[view] [source] 2025-12-03 21:34:57
>>sophie+(OP)
”use server” is not required for this vulnerability to be exploitable.
replies(1): >>sysgue+Dx1
3. brown9+gp[view] [source] 2025-12-03 21:48:56
>>sophie+(OP)
so any package could declare some modules as “use server” and they’d be callable, whether the RSC server owner wanted them to or not? That seems less than ideal.
replies(1): >>clucki+lB1
◧◩
4. sysgue+Dx1[view] [source] [discussion] 2025-12-04 08:09:59
>>clucki+pm
wait I'm only using React for SPA (no server rendering)

am I also vulnerable??????

replies(2): >>clucki+ZA1 >>__jona+w62
◧◩◪
5. clucki+ZA1[view] [source] [discussion] 2025-12-04 08:45:13
>>sysgue+Dx1
Only if you are running a vulnerable version of Next.js server.
◧◩
6. clucki+lB1[view] [source] [discussion] 2025-12-04 08:47:19
>>brown9+gp
The vulnerability exists in the transport mechanism in affected versions. Default installs without custom code are also vulnerable even if they do not use any server components / server functions.
◧◩◪
7. __jona+w62[view] [source] [discussion] 2025-12-04 13:02:21
>>sysgue+Dx1
No, unless you run the React Server Component runtime on your server, which you wouldn't do with a SPA, you would just serve a static bundle.
[go to top]