zlacker

[parent] [thread] 3 comments
1. z3ratu+(OP)[view] [source] 2025-12-04 05:51:25
there can be no React RCE. if it is on the frontend, it is a browser RCE. if it is on the backend, then, as in this case it is a Next.js RCE.
replies(3): >>antons+B7 >>Tomuus+Oh >>steve_+AF1
2. antons+B7[view] [source] 2025-12-04 07:13:55
>>z3ratu+(OP)
The Next.js server runs React modules. While one may argue that Next.js shouldn't bundle vulnerable dependencies, React does have modules for server-side runtimes these days and should be accountable.
3. Tomuus+Oh[view] [source] 2025-12-04 08:56:48
>>z3ratu+(OP)
The vulnerable code exists inside of the React Flight wire protocol that is used by Next.js but also Vite, Parcel, Waku and any other custom RSC implementation that exists. Your comment was accurate circa 2019 but not since React released server components.
4. steve_+AF1[view] [source] 2025-12-04 17:58:34
>>z3ratu+(OP)
You're wrong, but this is one of the unsettling things about the vulnerability and what React has become. Intuitively, you'd think a view library can't have RCE vulnerabilities like this. But that's not what React is anymore.
[go to top]