logoalt Hacker News

sophiebitsyesterday at 7:48 PM2 repliesview on HN

The endpoint is not whatever the client asks for. It's marked specifically as exposed to the user with "use server". Of course the people who designed this recognize that this is designing an RPC system.

A similar bug could be introduced in the implementation of other RPC systems too. It's not entirely specific to this design.

(I contribute to React but not really on RSC.)

Replies

cluckindanyesterday at 9:34 PM

”use server” is not required for this vulnerability to be exploitable.

brown9-2yesterday at 9:48 PM

so any package could declare some modules as “use server” and they’d be callable, whether the RSC server owner wanted them to or not? That seems less than ideal.