I got an email from Vercel urging to upgrade Next.js based project 3 days ago. POC was published 2 days ago. Today I’ve checked my logs and I could already see attack attempts.
I got an email from Vercel urging to upgrade Next.js based project 3 days ago. POC was published 2 days ago. Today I’ve checked my logs and I could already see attack attempts.
it looks like this only applies react server components, and it doesn’t look like element uses react server components
but i only had a quick skim; could be wrong, but personally i wouldn’t shut it down - not that im running a server myself
I have no experience with React, so I couldn’t tell. Thanks for the info, I’ll keep it in mind.
I think I’ve seen it mentioned that in case RSC isn’t used, it might be vulnerable but it’s not really confirmed, but you’re right that it probably doesn’t warrant shutting down the server.
I don’t really need it that much, though, so I’ll just wait for the update, take a scour through logs and use it as a learning opportunity for forensics, and skip the reinstall.
the vuln afaik is for remote code execution via basically a mechanism that’s kinda like a transparent RPC to the server (think like you just write frontend code with like a “getUsers” and it just automatically retrieves and deserializes the results so you can render the UI without worrying about how that data exists in the browser)
i’m not a front end engineer, and haven’t used react server components, but i am a principal software engineer, i do react for personal projects, and have written react professionally
i can’t think of a way it’d be exploitable via purely client-side means
i THINK what they mean is that you can use some of the RSC stuff without the RPC-style interfaces, and in that case they say the server component is still vulnerable, but you still need react things running on your server
a huge majority of react code is client-side only, with server-side code written in other languages/frameworks and interfaces with something like REST or GraphQL (or even RPC of course)
Any website using CSR only can’t have a RCE because the code runs on the client. Any code capable of RSC that runs server and client side may be vulnerable.
From what I’ve seen, the exploit is a special request from a client that functionally lets you exec anything you want (via Function’s constructor). If your server is unpatched and recognizes the request, it may be (likely is) vulnerable.
I’m sure we’ll get more details over time and tools to manually check if a site is compromised.