I got an email from Vercel urging to upgrade Next.js based project 3 days ago. POC was published 2 days ago. Today I’ve checked my logs and I could already see attack attempts.
Fuck, Element for Matrix is apparently build on React, and I was updating like 4 days ago after few months.
Well, time to update again, I hope it’s fine. Never really learned how to properly compromise-check your server.
it looks like this only applies react server components, and it doesn’t look like element uses react server components
but i only had a quick skim; could be wrong, but personally i wouldn’t shut it down - not that im running a server myself
I have no experience with React, so I couldn’t tell. Thanks for the info, I’ll keep it in mind.
I think I’ve seen it mentioned that in case RSC isn’t used, it might be vulnerable but it’s not really confirmed, but you’re right that it probably doesn’t warrant shutting down the server.
I don’t really need it that much, though, so I’ll just wait for the update, take a scour through logs and use it as a learning opportunity for forensics, and skip the reinstall.
the vuln afaik is for remote code execution via basically a mechanism that’s kinda like a transparent RPC to the server (think like you just write frontend code with like a “getUsers” and it just automatically retrieves and deserializes the results so you can render the UI without worrying about how that data exists in the browser)
i’m not a front end engineer, and haven’t used react server components, but i am a principal software engineer, i do react for personal projects, and have written react professionally
i can’t think of a way it’d be exploitable via purely client-side means
i THINK what they mean is that you can use some of the RSC stuff without the RPC-style interfaces, and in that case they say the server component is still vulnerable, but you still need react things running on your server
a huge majority of react code is client-side only, with server-side code written in other languages/frameworks and interfaces with something like REST or GraphQL (or even RPC of course)
Well, Element seems to still be running at the unupdated version even after update, so I’m just shutting the server down.
I’m bummed that it took me 5 days to learn about it, does anyone have some tips how to get early warnings for techs you’re using? I’m guessing there’s a way with npm.
Also, anyone has some tips how to properly compromise-check your server? I’m guessing there are logs to check for compromise, and audit your startup scripts for persistence? Any tools that could help with that?
