Denial of service and source code exposure in React Server Components

Posted by sangeeth96 12/11/2025

Denial of service and source code exposure in React Server Components(react.dev)

346 points | 225 commentspage 3

TZubiri 12/12/2025|

Interesting how DoS ranks higher than code exposure in severity.

I personally think it's the other way around, since code exposure increases the odds that a security breach happens, while DoS does not increase chances of exposure, but affects reliability.

Obviously we are simplifying a multidimensional severity to one dimension, but I personally think that breaches are more important than reliability. I'd rather have my app go down than be breached.

And I don't think it's a trivial difference, if you'd rather have a breach than downtime, you will have a breach.

scotty79 12/12/2025||

Language with dynamic code evaluation on the server plus fat client-setver protocol that attempts to sync raw objects of the language. What could have gone wrong?

I wonder if similar magic fat pipe technologies (like Blazor) have similar vulnerabilities waiting to be discovered. Maybe compiled languaged are safer by default in this scenario, but anything built in Python, PHP, Ruby or any "code is data" language would probably fare similarly poorly.

ChrisArchitect 12/11/2025||

React2Shell and related RSC vulnerabilities threat brief - Cloudflare

https://blog.cloudflare.com/react2shell-rsc-vulnerabilities-... (https://news.ycombinator.com/item?id=46237515)

greatgib 12/12/2025||

In my point of view, this is well deserved to idiots that are seriously using RSC in production, despite that being a very bad idea...

jgalt212 12/12/2025||

I remember some podcast interview with Miško Hevery talking about how Qwik was very emphatic about what code ran on the server and what ran on the client. Seems self-evident and prescient. It was a great interview as Miško Hevery is extremely articulate about the problems at hand. If I find it, I'll post.

shadowgovt 12/11/2025||

Oh boy, I somehow missed that React was offering these.

Google has a similar technology in-house, and it was a bit of a nightmare a few years back; the necessary steps to get it working correctly required some very delicate dancing.

I assume it's gotten better given time.

ydj 12/12/2025||

I noticed requests that were exploiting the vulnerability were turning into timeouts pretty much immediately after rolling out the patch. I’m surprised it took so long for it to be announced.

delifue 12/12/2025||

Any attempt that blurs boundary between client and server is unsafe.

rikafurude21 12/11/2025||

Im confused, did the update from last week for the RCE bug also include fixes for these new CVEs or will I need to update again? npm audit says theres no issues

billywhizz 12/11/2025||

is it not obvious?

> These issues are present in the patches published last week.

> The patches published last week are vulnerable.

> If you already updated for the Critical Security Vulnerability, you will need to update again.

rickhanlonii 12/11/2025|||

GitHub has to review the advisories and publish it for it to show in `npm audit`, so it's delayed.

theogravity 12/11/2025||

You need to update again.

cluckindan 12/11/2025|||

This could be the Next.js motto.

kyleee 12/12/2025||

You need to upgrade again, and no the docs aren’t finished (and they won’t be before the new new version).

qingcharles 12/12/2025|||

My Umami stats box got "pwned" about 15 mins after the last CVE was published and I spent an hour or so cleaning up that mess and upgrading everything. Not looking forward to doing it again today.

hedayet 12/11/2025|

I wonder what does these vulnerabilities mean for Facebook. As per my knowledge, Facebook's the biggest web app written in React.

jsheard 12/11/2025||

Does Facebook actually use RSC? I thought it was mainly pushed by the Nextjs/Vercel side of the React team.

acemarke 12/11/2025|||

No, but it's primarily because Meta has their own server infrastructure already. RSCs are essentially the React team trying to generalize the data fetching patterns from Meta's infrastructure into React itself so they can be used more broadly.

I wrote an extensive post and did a conference talk earlier this year recapping the overall development history and intent of RSCs, as best as I understand it from a mostly-external perspective:

- https://blog.isquaredsoftware.com/2025/06/react-community-20...

- https://blog.isquaredsoftware.com/2025/06/presentations-reac...

brazukadev 12/11/2025||

So contrary to all other changes, this one was not done for Facebook to use. What was the reason behind RSC then?

acemarke 12/12/2025|||

Like I said above and in the post: it was an attempt to generalize the data fetching patterns developed inside of Meta and make them available to all React devs.

If you watch the various talks and articles done by the React team for the last 8 years, the general themes are around trying to improve page loading and data fetching experience.

Former React team member Dan Abramov did a whole series of posts earlier this year with differently-focused explanations of how to grok RSCs: "customizable Backend for Frontend", "avoiding unnecessary roundtrips", etc:

- https://overreacted.io

Conceptually, the one-liner Dan came up with that I liked is "extending React's component model to the server". It's still parent components passing props to child components, "just" spread across multiple computers.

brazukadev 12/12/2025||

Yeah the "just" is doing a lot of things, nobody asked for a react server but it turns out it could be the base for a $10B cloud company. Classical open source rugpull.

cluckindan 12/11/2025|||

Market capture?

brazukadev 12/12/2025||

That seems to be the case. They killed React for that.

samdoesnothing 12/11/2025|||

No they don't. I think Meta is just big enough that they don't really care what is happening with React anymore haha.

tacker2000 12/11/2025||

This is about React Server Components, a subset/feature of React that can optionally be installed and used.

Apps that use React without server components are not affected.

More comments...