top | item 46309301

(no title)

esaym | 2 months ago

So this is part of the "React2Shell" CVE-2025-55182 issue? I find it interesting that this seems to get so little publicity. Almost like the issue is normal or expected. And it looks like the affected versions go back a little over a year. So if you've deployed anything with Next.js over the last 12 months your web app is now probably part of a million node bot net. And everyone's advice is just "use docker" or "install a firewall".

I'm not even sure what to say, or think, or even how to feel about the frontend ecosystem at this point. I've been debating on leaving the whole "web app" ecosystem as my main employment ventures and applying to some places requiring C++. C++ seems much easier to understand than what ever the latest frontend fad is. /rant

discuss

syhol|2 months ago

Frontend churn has chilled out so much over the last few years. The default webapp stack today has been the same for 5 years now, next.js (9yo) react (12yo) tailwind (8yo) postgres (36yo). I'm not endorsing this stack, it just seems to be the norm now.

Compare that to what we had in the late 00's and early 10's we went through prototype -> mootools -> jquery -> backbone -> angularjs -> ember -> react, all in about 6 years. Thats a new recommended framework every year. If you want to complain about fads and churn, hop on over to AI development, they have plenty.

lobsterthief|2 months ago

I remember that. To be honest it was exhausting. Fun, but exhausting. It’s nice now to have found a stack that is “just fine” for most things.

hypeatei|2 months ago

You can write web apps without touching the hottest JS framework of the week. I've never touched these frameworks that try to blur the line between frontend and backend.

Pick a solid technology (.NET, Java, Go, etc...) for the backend and use whatever you want for your frontend. Voila, less CVEs and less churn!

reedlaw|2 months ago

I had a Pangolin instance compromised by this: https://github.com/orgs/fosrl/discussions/2014

h33t-l4x0r|2 months ago

I'm hearing about it like crazy because I deployed around 100 Next frontends in that time period. I didn't use server components though so I'm not affected.

mnahkies|2 months ago

My understanding of the issue is that even if you don't use server components, you're still vulnerable.

Unless you're running a static html export - eg: not running the nextjs server, but serving through nginx or similar

newsoftheday|2 months ago

For my Java based sites, I use HTML/CSS/JS (vanilla js), no frameworks.

miohtama|2 months ago

Use Svelte? (: