←back to thread

Denial of service and source code exposure in React Server Components

(react.dev)
298 points sangeeth96 | 5 comments | 11 Dec 25 20:46 UTC | HN request time: 0.001s | source
Show context
tagraves ◴[11 Dec 25 21:53 UTC] No.46237728[source]
It's really concerning that the biggest, most eye-grabbing part of this posting is the note with the following: "It’s common for critical CVEs to uncover follow‑up vulnerabilities."

Trying to justify the CVE before fully explaining the scope of the CVE, who is affected, or how to mitigate it -- yikes.

replies(8): >>46237817 #>>46237826 #>>46237920 #>>46238009 #>>46238017 #>>46238302 #>>46239090 #>>46241026 #
1. treesknees ◴[11 Dec 25 22:01 UTC] No.46237817[source]
What’s concerning about it? The first thing I thought when I read the headline was “wow, another react CVE?” It’s not a justification, it’s an explanation to the most obvious immediate question.
replies(3): >>46237975 #>>46238064 #>>46238562 #
2. vcarl ◴[11 Dec 25 22:13 UTC] No.46237975[source]
It's definitely a defensive statement, proactively covering the situation as "normal". Normal it may be, but emphasizing that in the limited space of a tweet thread definitely indicates where their mind is on this, I'd think.
replies(1): >>46238404 #
3. tom1337 ◴[11 Dec 25 22:20 UTC] No.46238064[source]
But it is another React CVE. Doesn't really matter why it was uncovered, it's bad that it existed either way
4. treesknees ◴[11 Dec 25 22:47 UTC] No.46238404[source]
Are you reading a different link? This statement is on a React blog post, not a Twitter thread.
5. brazukadev ◴[11 Dec 25 23:02 UTC] No.46238562[source]
an insecure software will have multiple CVEs, not necessarily related to each other. Those 3 are probably not the only ones.