Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The endpoint is not whatever the client asks for. It's marked specifically as exposed to the user with "use server". Of course the people who designed this recognize that this is designing an RPC system.

A similar bug could be introduced in the implementation of other RPC systems too. It's not entirely specific to this design.

(I contribute to React but not really on RSC.)



”use server” is not required for this vulnerability to be exploitable.


wait I'm only using React for SPA (no server rendering)

am I also vulnerable??????


Only if you are running a vulnerable version of Next.js server.


No, unless you run the React Server Component runtime on your server, which you wouldn't do with a SPA, you would just serve a static bundle.


so any package could declare some modules as “use server” and they’d be callable, whether the RSC server owner wanted them to or not? That seems less than ideal.


The vulnerability exists in the transport mechanism in affected versions. Default installs without custom code are also vulnerable even if they do not use any server components / server functions.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: