Most active commenters
  • rickhanlonii(3)

←back to thread

Denial of service and source code exposure in React Server Components

(react.dev)
298 points sangeeth96 | 21 comments | 11 Dec 25 20:46 UTC | HN request time: 0.403s | source | bottom
1. tagraves ◴[11 Dec 25 21:53 UTC] No.46237728[source]
It's really concerning that the biggest, most eye-grabbing part of this posting is the note with the following: "It’s common for critical CVEs to uncover follow‑up vulnerabilities."

Trying to justify the CVE before fully explaining the scope of the CVE, who is affected, or how to mitigate it -- yikes.

replies(8): >>46237817 #>>46237826 #>>46237920 #>>46238009 #>>46238017 #>>46238302 #>>46239090 #>>46241026 #
2. treesknees ◴[11 Dec 25 22:01 UTC] No.46237817[source]
What’s concerning about it? The first thing I thought when I read the headline was “wow, another react CVE?” It’s not a justification, it’s an explanation to the most obvious immediate question.
replies(3): >>46237975 #>>46238064 #>>46238562 #
3. zwnow ◴[11 Dec 25 22:01 UTC] No.46237826[source]
Welcome to the React, Next, Vercel ecosystem. Our tech may be shite but we look fancy.
replies(1): >>46238571 #
4. samdoesnothing ◴[11 Dec 25 22:08 UTC] No.46237920[source]
Also kind of funny that they're comparing it to Log2Shell. Maybe not the best sort of company to be keeping...
replies(1): >>46239350 #
5. vcarl ◴[11 Dec 25 22:13 UTC] No.46237975[source]
It's definitely a defensive statement, proactively covering the situation as "normal". Normal it may be, but emphasizing that in the limited space of a tweet thread definitely indicates where their mind is on this, I'd think.
replies(1): >>46238404 #
6. haileys ◴[11 Dec 25 22:16 UTC] No.46238009[source]
Perception management

https://en.wikipedia.org/wiki/Perception_management

7. rickhanlonii ◴[11 Dec 25 22:17 UTC] No.46238017[source]
Thanks for the feedback, I adjusted it here so the first note is related to the impacted versions:

https://github.com/reactjs/react.dev/pull/8195

replies(1): >>46238329 #
8. tom1337 ◴[11 Dec 25 22:20 UTC] No.46238064[source]
But it is another React CVE. Doesn't really matter why it was uncovered, it's bad that it existed either way
9. hitekker ◴[11 Dec 25 22:38 UTC] No.46238302[source]
There are a lot of careers riding on the optics here.
replies(1): >>46241564 #
10. tagraves ◴[11 Dec 25 22:40 UTC] No.46238329[source]
I appreciate the follow up! I think it looks great now and doesn’t read as defensively anymore!
replies(1): >>46238791 #
11. treesknees ◴[11 Dec 25 22:47 UTC] No.46238404{3}[source]
Are you reading a different link? This statement is on a React blog post, not a Twitter thread.
12. brazukadev ◴[11 Dec 25 23:02 UTC] No.46238562[source]
an insecure software will have multiple CVEs, not necessarily related to each other. Those 3 are probably not the only ones.
13. brazukadev ◴[11 Dec 25 23:03 UTC] No.46238571[source]
The Vercel CEO post congratulating his team for how they managed the vulnerability was funny
14. rickhanlonii ◴[11 Dec 25 23:25 UTC] No.46238791{3}[source]
Yeah agreed, thanks again for the feedback. The priority here is clear disclosure and upgrade steps.
15. TZubiri ◴[11 Dec 25 23:57 UTC] No.46239090[source]
Very standard in security, announcements always always always try to downplay their severity.
replies(1): >>46239179 #
16. rickhanlonii ◴[12 Dec 25 00:04 UTC] No.46239179[source]
fwiw, the goal here wasn't to downplay the severity, but to explain the context to an audience who might not be familiar with CVEs and what's considered normal. I moved the note down so the more important information like severity, impacted versions, and upgrade instructions are first.
replies(2): >>46240059 #>>46241019 #
17. everfrustrated ◴[12 Dec 25 00:24 UTC] No.46239350[source]
React is the new JavaBean
18. isodev ◴[12 Dec 25 02:04 UTC] No.46240059{3}[source]
> an audience who might not be familiar with CVEs

If there are so many React developers out there using server side components while not familiar with the concept of CVEs, we’re in very serious trouble.

19. TZubiri ◴[12 Dec 25 05:01 UTC] No.46241019{3}[source]
It's ok, you gotta play the game. I'm more concerned about the fact that the downtime issue ranks higher than the security issue. But I'm assuming it relates to the specifics of the issue rather than reflecting on the priorities of the project as a whole.
20. 0xblinq ◴[12 Dec 25 05:03 UTC] No.46241026[source]
I think the same. To me it looks like a Vercel marketing employee wrote that.
21. IceDane ◴[12 Dec 25 06:59 UTC] No.46241564[source]
No, there aren't. The react team isn't going to axe half the team because there's a high severity CVE.