CVE 10.0 is bonkers for a project this widely used

nine_k · 2025-12-03T17:49:44 1764784184

The packages affected, like [1], literally say:

> Experimental React Flight bindings for DOM using Webpack.

> Use it at your own risk.

311,955 weekly downloads though :-|

[1]: https://www.npmjs.com/package/react-server-dom-webpack

ascorbic · 2025-12-03T18:08:10 1764785290

That number is misleadingly low, because it doesn't include Next.js which bundles the dependency. Almost all usage in the wild will be Next.js, plus a few using the experimental React Router support.

root_axis · 2025-12-03T20:02:44 1764792164

As far as I'm aware, transitive dependencies are counted in this number. So when you npm install next.js, the download count for everything in its dependency tree gets incremented.

Beyond that, I think there is good reason to believe that the number is inflated due to automated downloads from things like CI pipelines, where hundreds or thousands of downloads might only represent a single instance in the wild.

korm · 2025-12-03T20:20:12 1764793212

It's not a transitive dependency, it's just literally bundled into nextjs, I'm guessing to avoid issues with fragile builds.

swyx · 2025-12-03T21:25:58 1764797158

why is it not normal for CI pipelines to cache these things? its a huge waste of compute and network.

FINDarkside · 2025-12-03T22:06:58 1764799618

It's certainly not uncommon to cache deps in CI. But at least at some point CircleCI was so slow at saving+restoring cache that it was actually faster to just download all the deps. Generally speaking for small/medium projects installing all deps is very fast and bandwidth is basically free, so it's natural many projects don't cache any of it.

odie5533 · 2025-12-04T05:30:20 1764826220

These often do get cached at CDNs inside of the consuming data centers. Even the ISP will cache these kind of things too.

j45 · 2025-12-03T18:55:23 1764788123

The subjects of theses types of posts should report the CVSS severity as 10.0 so the PR speak can't simply deflect to what needs to be done.

jeroenhd · 2025-12-04T13:01:40 1764853300

Unfortunately, CVSS scores are gamified hard. Companies pay more money in bug bounty programs, so there's an incentive for bug bounty hunters to talk up the impact of their discovery. Especially the CVSS v3 calculation can produce some unexpected super high or super low scores.

While scores are a good way to bring this stuff to people's attention, I wouldn't use them to enforce business processes. There's a good chance your code isn't even affected by this CVE even if your security scanners all go full red alert on this bug.

j45 · 2025-12-04T17:37:26 1764869846

It’s possible to create a scoring system based on actual root cause analysis and impact scores.

Surprised there isn’t more talk about a solution like this or something and more downplaying CVSS.

Downplaying CVSS alone can smell a little like PR talk even however unintentional.

WatchDog · 2025-12-03T23:45:06 1764805506

A CVSS score of 10.0 may be warranted in this case, but so many other CVSS scores are wildly inflated, that the scores don't mean a lot.

j45 · 2025-12-04T00:31:54 1764808314

Regardless it can still provide some context and adjustment cs none.

The above could be seen as spin too, how could cvss be more accurate so you’d feel better?

rs_rs_rs_rs_rs · 2025-12-03T17:19:23 1764782363

React is widely used, react server components not so much.

_jab · 2025-12-03T17:31:09 1764783069

Next.js is still pretty damn widely used.