←back to thread

Denial of service and source code exposure in React Server Components

(react.dev)
298 points sangeeth96 | 4 comments | 11 Dec 25 20:46 UTC | HN request time: 1.023s | source
Show context
tagraves ◴[11 Dec 25 21:53 UTC] No.46237728[source]
It's really concerning that the biggest, most eye-grabbing part of this posting is the note with the following: "It’s common for critical CVEs to uncover follow‑up vulnerabilities."

Trying to justify the CVE before fully explaining the scope of the CVE, who is affected, or how to mitigate it -- yikes.

replies(8): >>46237817 #>>46237826 #>>46237920 #>>46238009 #>>46238017 #>>46238302 #>>46239090 #>>46241026 #
1. TZubiri ◴[11 Dec 25 23:57 UTC] No.46239090[source]
Very standard in security, announcements always always always try to downplay their severity.
replies(1): >>46239179 #
2. rickhanlonii ◴[12 Dec 25 00:04 UTC] No.46239179[source]
fwiw, the goal here wasn't to downplay the severity, but to explain the context to an audience who might not be familiar with CVEs and what's considered normal. I moved the note down so the more important information like severity, impacted versions, and upgrade instructions are first.
replies(2): >>46240059 #>>46241019 #
3. isodev ◴[12 Dec 25 02:04 UTC] No.46240059[source]
> an audience who might not be familiar with CVEs

If there are so many React developers out there using server side components while not familiar with the concept of CVEs, we’re in very serious trouble.

4. TZubiri ◴[12 Dec 25 05:01 UTC] No.46241019[source]
It's ok, you gotta play the game. I'm more concerned about the fact that the downtime issue ranks higher than the security issue. But I'm assuming it relates to the specifics of the issue rather than reflecting on the priorities of the project as a whole.