I got an email from Vercel urging to upgrade Next.js based project 3 days ago. POC was published 2 days ago. Today I’ve checked my logs and I could already see attack attempts.
I got an email from Vercel urging to upgrade Next.js based project 3 days ago. POC was published 2 days ago. Today I’ve checked my logs and I could already see attack attempts.
the vuln afaik is for remote code execution via basically a mechanism that’s kinda like a transparent RPC to the server (think like you just write frontend code with like a “getUsers” and it just automatically retrieves and deserializes the results so you can render the UI without worrying about how that data exists in the browser)
i’m not a front end engineer, and haven’t used react server components, but i am a principal software engineer, i do react for personal projects, and have written react professionally
i can’t think of a way it’d be exploitable via purely client-side means
i THINK what they mean is that you can use some of the RSC stuff without the RPC-style interfaces, and in that case they say the server component is still vulnerable, but you still need react things running on your server
a huge majority of react code is client-side only, with server-side code written in other languages/frameworks and interfaces with something like REST or GraphQL (or even RPC of course)