Hacker News Viewer

Top 20

Denial of service and source code exposure in React Server Components

by sangeeth96 on 12/11/2025, 8:46:46 PM

https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components

Comments

by: simonw

React Server Components always felt uncomfortable to me because they make it hard to look at a piece of JavaScript code and derive which parts of it are going to run on the client and which parts will run on the server.<p>It turns out this introduces another problem too: in order to get that to work you need to implement some kind of DEEP serialization RPC mechanism - which is kind of opaque to the developer and, as we&#x27;ve recently seen, is a risky spot in terms of potential security vulnerabilities.

12/11/2025, 9:59:10 PM

by: tagraves

It&#x27;s really concerning that the biggest, most eye-grabbing part of this posting is the note with the following: &quot;It’s common for critical CVEs to uncover follow‑up vulnerabilities.&quot;<p>Trying to justify the CVE before fully explaining the scope of the CVE, who is affected, or how to mitigate it -- yikes.

12/11/2025, 9:53:50 PM

by: chuckadams

I remember when the point of an SPA was to <i>not</i> have all these elaborate conversations with the server. Just &quot;here&#x27;s the whole app, now only ask me for raw data.&quot;

12/11/2025, 9:06:56 PM

by: yread

Were there not enough eyes on React Server Components before the patches from last week?

12/11/2025, 10:28:39 PM

by: ashishb

The JavaScript fanatics will down vote me for saying this but I&#x27;ll say this, &quot;using common JavaScript codebase on your client-side and server-side is like cooking food in your toilet, sooner or later, a contamination is guaranteed&quot; [1]<p>1 - <a href="https:&#x2F;&#x2F;ashishb.net&#x2F;tech&#x2F;javascript&#x2F;" rel="nofollow">https:&#x2F;&#x2F;ashishb.net&#x2F;tech&#x2F;javascript&#x2F;</a>

12/11/2025, 10:21:51 PM

by: sangeeth96

Next team just published this: <a href="https:&#x2F;&#x2F;nextjs.org&#x2F;blog&#x2F;security-update-2025-12-11" rel="nofollow">https:&#x2F;&#x2F;nextjs.org&#x2F;blog&#x2F;security-update-2025-12-11</a><p>Seems to affect 14.x, 15.x and 16.x.

12/11/2025, 9:47:57 PM

by: rikafurude21

Im confused, did the update from last week for the RCE bug also include fixes for these new CVEs or will I need to update again? npm audit says theres no issues

12/11/2025, 9:23:00 PM

by: aatd86

LOL. I must have divination powers. I am currently working on a UI framework and opened an issue just 3 weeks ago that says:<p>&quot; Seems that server functions are all the rage. We are unlikely to have them.<p>The main reason is that it ties the frontend and the backend together in undesirable ways.<p>it forces a js backend upon people (what if I want to use Go for instance) the api is not client agnostic anymore How to specify middleware is not clear Requires a bundler, so destroys isomorphism (isomorphic code requires no difference between the client and the server&#x2F; environment agnostic) even if it requires a bundler because it separates client and server implementation files, it blurs the data scoping (especially worrying for sensitive data) Do one thing and do it well: separate frontend and backend.<p>It might be something that is useful for people who only plan on having a javascript web frontend server separate from the API server that links to the backend service.<p>Besides, it is really not obvious to me how it becomes architecturally clearer. It would double the work in terms of security wrt authorization etc. This is at least not a generic pattern.<p>So I&#x27;d tend to go opposite to the trend and say no. Who knows, we might revisit it if anything changes in the future. &quot;<p>And boy, look at the future 3 weeks later...<p>To be fair, the one good thing is that they are hardening their implementation thanks to these discoveries. But still seems to me that this is wholly unnecessary and possibly will never be safe enough.<p>Anyway, not to toot my own horn, I know for a fact these things are difficult. Just found the timing funny. :)

12/11/2025, 10:17:57 PM

by: hedayet

I wonder what does these vulnerabilities mean for Facebook. As per my knowledge, Facebook&#x27;s the biggest web app written in React.

12/11/2025, 10:00:10 PM

by: bflesch

So we have a new React CVE and tomorrow is Friday, so please be prepared for a new outage brought to you by the super-engineers at Cloudflare.

12/11/2025, 9:57:57 PM

by: shadowgovt

Oh boy, I somehow missed that React was offering these.<p>Google has a similar technology in-house, and it was a bit of a nightmare a few years back; the necessary steps to get it working correctly required some <i>very</i> delicate dancing.<p>I assume it&#x27;s gotten better given time.

12/11/2025, 10:14:00 PM

by: ChrisArchitect

Related:<p><i>React2Shell and related RSC vulnerabilities threat brief - Cloudflare</i><p><a href="https:&#x2F;&#x2F;blog.cloudflare.com&#x2F;react2shell-rsc-vulnerabilities-exploitation-threat-brief&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.cloudflare.com&#x2F;react2shell-rsc-vulnerabilities-...</a> (<a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=46237515">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=46237515</a>)

12/11/2025, 9:42:28 PM

by: carlcortright

dammit

12/11/2025, 9:49:48 PM

by: rickhanlonii

After Log4Shell, additional CVEs were reported as well.<p>It’s common for critical CVEs to uncover follow‑up vulnerabilities because researchers scrutinize adjacent code paths looking for variant exploit techniques to test whether the initial mitigation can be bypassed.

12/11/2025, 9:54:06 PM