top | item 46237728

(no title)

tagraves | 2 months ago

It's really concerning that the biggest, most eye-grabbing part of this posting is the note with the following: "It’s common for critical CVEs to uncover follow‑up vulnerabilities."

Trying to justify the CVE before fully explaining the scope of the CVE, who is affected, or how to mitigate it -- yikes.

discuss

treesknees|2 months ago

What’s concerning about it? The first thing I thought when I read the headline was “wow, another react CVE?” It’s not a justification, it’s an explanation to the most obvious immediate question.

vcarl|2 months ago

It's definitely a defensive statement, proactively covering the situation as "normal". Normal it may be, but emphasizing that in the limited space of a tweet thread definitely indicates where their mind is on this, I'd think.

tom1337|2 months ago

But it is another React CVE. Doesn't really matter why it was uncovered, it's bad that it existed either way

brazukadev|2 months ago

an insecure software will have multiple CVEs, not necessarily related to each other. Those 3 are probably not the only ones.

rickhanlonii|2 months ago

Thanks for the feedback, I adjusted it here so the first note is related to the impacted versions:

https://github.com/reactjs/react.dev/pull/8195

tagraves|2 months ago

I appreciate the follow up! I think it looks great now and doesn’t read as defensively anymore!

haileys|2 months ago

Perception management

https://en.wikipedia.org/wiki/Perception_management

samdoesnothing|2 months ago

Also kind of funny that they're comparing it to Log2Shell. Maybe not the best sort of company to be keeping...

everfrustrated|2 months ago

React is the new JavaBean

zwnow|2 months ago

Welcome to the React, Next, Vercel ecosystem. Our tech may be shite but we look fancy.

brazukadev|2 months ago

The Vercel CEO post congratulating his team for how they managed the vulnerability was funny

hitekker|2 months ago

There are a lot of careers riding on the optics here.

IceDane|2 months ago

No, there aren't. The react team isn't going to axe half the team because there's a high severity CVE.

0xblinq|2 months ago

I think the same. To me it looks like a Vercel marketing employee wrote that.

TZubiri|2 months ago

Very standard in security, announcements always always always try to downplay their severity.

rickhanlonii|2 months ago

fwiw, the goal here wasn't to downplay the severity, but to explain the context to an audience who might not be familiar with CVEs and what's considered normal. I moved the note down so the more important information like severity, impacted versions, and upgrade instructions are first.