zlacker

[parent] [thread] 3 comments
1. h33t-l+(OP)[view] [source] 2025-12-18 07:36:56
I'm hearing about it like crazy because I deployed around 100 Next frontends in that time period. I didn't use server components though so I'm not affected.
replies(1): >>mnahki+e
2. mnahki+e[view] [source] 2025-12-18 07:39:33
>>h33t-l+(OP)
My understanding of the issue is that even if you don't use server components, you're still vulnerable.

Unless you're running a static html export - eg: not running the nextjs server, but serving through nginx or similar

replies(1): >>abusta+op1
◧◩
3. abusta+op1[view] [source] [discussion] 2025-12-18 17:00:00
>>mnahki+e
Yeah, crucially it says

> If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.

https://react.dev/blog/2025/12/03/critical-security-vulnerab...

So if you have a backend that supports RSC, even if you don't use it, you can still be vulnerable.

GP said they only shipped front ends but that can mean a lot.

Edit:link

replies(1): >>azemet+Ot1
◧◩◪
4. azemet+Ot1[view] [source] [discussion] 2025-12-18 17:17:00
>>abusta+op1
They might be referring to another Vercel vulnerability that allowed anyone to bypass their auth with relative ease due to poor engineering practices:

https://nvd.nist.gov/vuln/detail/CVE-2025-29927

That plus the most recent react one, and you have a culture that does not care for their customers but rather chasing fads to help greedy careers.

[go to top]