←back to thread

Denial of service and source code exposure in React Server Components

(react.dev)
298 points sangeeth96 | 3 comments | 11 Dec 25 20:46 UTC | HN request time: 0.418s | source
1. yread ◴[11 Dec 25 22:28 UTC] No.46238173[source]
Were there not enough eyes on React Server Components before the patches from last week?
replies(2): >>46238327 #>>46239398 #
2. Inviz ◴[11 Dec 25 22:40 UTC] No.46238327[source]
have you seen the code of next.js? its completely impenetrable, and the packages have legacy versions of the same files coexisting, it's like huge hairball
3. manfre ◴[12 Dec 25 00:31 UTC] No.46239398[source]
I've noticed a pattern in the security reports for a project I'm involved in. After a CVE is released, for the next month or so there will likely be additional reports targeting the same (or similar) areas of the framework. There is definitely a competitive spirit amongst security researchers as they try to get more CVEs credited to them (and potentially bounties).