top | item 46139092

(no title)

sophiebits | 2 months ago

The endpoint is not whatever the client asks for. It's marked specifically as exposed to the user with "use server". Of course the people who designed this recognize that this is designing an RPC system.

A similar bug could be introduced in the implementation of other RPC systems too. It's not entirely specific to this design.

(I contribute to React but not really on RSC.)

discuss

cluckindan|2 months ago

”use server” is not required for this vulnerability to be exploitable.

sysguest|2 months ago

wait I'm only using React for SPA (no server rendering)

am I also vulnerable??????

brown9-2|2 months ago

so any package could declare some modules as “use server” and they’d be callable, whether the RSC server owner wanted them to or not? That seems less than ideal.

cluckindan|2 months ago

The vulnerability exists in the transport mechanism in affected versions. Default installs without custom code are also vulnerable even if they do not use any server components / server functions.