React got hacked. It's really, really bad.
Related videos
This is bad...
Theo - t3․gg
104.3k views
I don’t really like GPT-5.5…
Theo - t3․gg
132.8k views
Did Cursor really steal Kimi???
Theo - t3․gg
77.4k views
It's finally here.
Theo - t3․gg
152.2k views
gpt-5.4 is really, really good
Theo - t3․gg
153.7k views
Trump actually threatened Anthropic (this is bad…)
Theo - t3․gg
84.3k views
Bun got bought by Anthropic (yes really)
Theo - t3․gg
64.3k views
You have no idea how how bad this really is.
Theo - t3․gg
98.9k views
This is good, actually
Theo - t3․gg
44.6k views
The Future of React
Theo - t3․gg
50.7k views
Unlock all features
FREE: Get instant access to 10 AI summaries, chats, or transcripts per day.
Unlock all features
FREE: Get instant access to 10 AI summaries, chats, or transcripts per day.
Unlock all features
FREE: Get instant access to 10 AI summaries, chats, or transcripts per day.
Unlock all features
FREE: Get instant access to 10 AI summaries, chats, or transcripts per day.
Unlock all features
FREE: Get instant access to 10 AI summaries, chats, or transcripts per day.
Related videos
This is bad...
Theo - t3․gg
104.3k views
I don’t really like GPT-5.5…
Theo - t3․gg
132.8k views
Did Cursor really steal Kimi???
Theo - t3․gg
77.4k views
It's finally here.
Theo - t3․gg
152.2k views
gpt-5.4 is really, really good
Theo - t3․gg
153.7k views
Trump actually threatened Anthropic (this is bad…)
Theo - t3․gg
84.3k views
Bun got bought by Anthropic (yes really)
Theo - t3․gg
64.3k views
You have no idea how how bad this really is.
Theo - t3․gg
98.9k views
This is good, actually
Theo - t3․gg
44.6k views
The Future of React
Theo - t3․gg
50.7k views
Top Comments (10)
The impressive part is that anyone was actually able to use React Server Components at all.
me last week: shit we are really behind using nextjs 14. Me this week: thank god we are using nextjs 14
I'd love to update. I'm scared of NPM at this point 😂
Too bad that my company's production server was hacked 2 days ago because of this... 🤷♂
I think this is an example of building something so clever it was hard to realize the security implications in advance. It is an elaborate mechanism for taking code (or arbitrarily complex state that functionally also qualifies as code security-wise) from the client and running it on the server, but that's not what it sounds like at first glance and I've never heard anyone talk about server components the same way we talk about the browser sandbox being security critical. That does actually seem like a developer education mistake we're making in multiple platforms.
Ah shoot. Why did I have to watch this after midnight? Now I gotta get up and check if I’ve been hacked Edit: Yep, I was hacked D:
31:58 "There is something like this in almost every complex enough codebase" This completely misses the point. I could find only one notable, somewhat recent CVE (2018-6341) in React prior to this. Discovered in 2018 an XSS attack on ReactDOMServer with a CVSS of 6.1. The lesson isn't "every big project has security vulnerabilities" (though it's true) it's "overly complex wire transfer formats are dangerous, especially when parsed by dynamic languages". For example, the most critical vulnerabilities in gRPC were caused either by C memory bugs or JS prototype pollution.
the dev that discovered and reported this should immediately get an offer from meta higher then his current salary
>Credit to the dev that disclosed this, he could have done terrible things Or sold the exploit to intel agencies for a ffffffuck ton of money
18:55 correction: just because it was not 'publicly' known and exploited does not mean it was not privately known and exploited - SREs will have to go back in their logs and check if this was actually utilized before
Unlock the Data Inside
Turn Videos into Knowledge
- Get FREE 10/day: transcripts, summaries, chats
- Chat with videos, export text & PDF
- $1 free API credit for RAG, chatbots & research
Free forever plan • All features unlocked
Top Comments (10)
The impressive part is that anyone was actually able to use React Server Components at all.
me last week: shit we are really behind using nextjs 14. Me this week: thank god we are using nextjs 14
I'd love to update. I'm scared of NPM at this point 😂
Too bad that my company's production server was hacked 2 days ago because of this... 🤷♂
I think this is an example of building something so clever it was hard to realize the security implications in advance. It is an elaborate mechanism for taking code (or arbitrarily complex state that functionally also qualifies as code security-wise) from the client and running it on the server, but that's not what it sounds like at first glance and I've never heard anyone talk about server components the same way we talk about the browser sandbox being security critical. That does actually seem like a developer education mistake we're making in multiple platforms.
Ah shoot. Why did I have to watch this after midnight? Now I gotta get up and check if I’ve been hacked Edit: Yep, I was hacked D:
31:58 "There is something like this in almost every complex enough codebase" This completely misses the point. I could find only one notable, somewhat recent CVE (2018-6341) in React prior to this. Discovered in 2018 an XSS attack on ReactDOMServer with a CVSS of 6.1. The lesson isn't "every big project has security vulnerabilities" (though it's true) it's "overly complex wire transfer formats are dangerous, especially when parsed by dynamic languages". For example, the most critical vulnerabilities in gRPC were caused either by C memory bugs or JS prototype pollution.
the dev that discovered and reported this should immediately get an offer from meta higher then his current salary
>Credit to the dev that disclosed this, he could have done terrible things Or sold the exploit to intel agencies for a ffffffuck ton of money
18:55 correction: just because it was not 'publicly' known and exploited does not mean it was not privately known and exploited - SREs will have to go back in their logs and check if this was actually utilized before