←back to thread

Denial of service and source code exposure in React Server Components

(react.dev)
298 points sangeeth96 | 7 comments | 11 Dec 25 20:46 UTC | HN request time: 0.962s | source | bottom
1. rikafurude21 ◴[11 Dec 25 21:23 UTC] No.46237343[source]
Im confused, did the update from last week for the RCE bug also include fixes for these new CVEs or will I need to update again? npm audit says theres no issues
replies(3): >>46237389 #>>46238088 #>>46238360 #
2. billywhizz ◴[11 Dec 25 21:27 UTC] No.46237389[source]
is it not obvious?

> These issues are present in the patches published last week.

> The patches published last week are vulnerable.

> If you already updated for the Critical Security Vulnerability, you will need to update again.

3. rickhanlonii ◴[11 Dec 25 22:22 UTC] No.46238088[source]
GitHub has to review the advisories and publish it for it to show in `npm audit`, so it's delayed.
4. theogravity ◴[11 Dec 25 22:43 UTC] No.46238360[source]
You need to update again.
replies(2): >>46238948 #>>46241635 #
5. cluckindan ◴[11 Dec 25 23:41 UTC] No.46238948[source]
This could be the Next.js motto.
replies(1): >>46242456 #
6. qingcharles ◴[12 Dec 25 07:12 UTC] No.46241635[source]
My Umami stats box got "pwned" about 15 mins after the last CVE was published and I spent an hour or so cleaning up that mess and upgrading everything. Not looking forward to doing it again today.
7. kyleee ◴[12 Dec 25 09:40 UTC] No.46242456{3}[source]
You need to upgrade again, and no the docs aren’t finished (and they won’t be before the new new version).