←back to thread

Denial of service and source code exposure in React Server Components

(react.dev)
298 points sangeeth96 | 4 comments | 11 Dec 25 20:46 UTC | HN request time: 0s | source
Show context
rikafurude21 ◴[11 Dec 25 21:23 UTC] No.46237343[source]
Im confused, did the update from last week for the RCE bug also include fixes for these new CVEs or will I need to update again? npm audit says theres no issues
replies(3): >>46237389 #>>46238088 #>>46238360 #
1. theogravity ◴[11 Dec 25 22:43 UTC] No.46238360[source]
You need to update again.
replies(2): >>46238948 #>>46241635 #
2. cluckindan ◴[11 Dec 25 23:41 UTC] No.46238948[source]
This could be the Next.js motto.
replies(1): >>46242456 #
3. qingcharles ◴[12 Dec 25 07:12 UTC] No.46241635[source]
My Umami stats box got "pwned" about 15 mins after the last CVE was published and I spent an hour or so cleaning up that mess and upgrading everything. Not looking forward to doing it again today.
4. kyleee ◴[12 Dec 25 09:40 UTC] No.46242456[source]
You need to upgrade again, and no the docs aren’t finished (and they won’t be before the new new version).