It seems not a day goes by without some cloud outage or critical vulnerability issue. Let’s try to analyze the recent CloudFlare outage (not again 😩) caused by the react server components.
The issue is very critical. Basically any unauthorized client can execute an arbitrary code on the server. The Fix is provided. The person to blame is Sebastian Markbåge. Let’s take a look a little closer.
The description is stated that it’s a refactoring and just a functional PR but in the end reluctantly adding btw guys I fixed a CVE here (Oopsie 😅)
Two of his colleagues from Vercel right away approved it without even reading. Trace the history: the PR was submitted at 12:38 then the first approval was received the same time and the second at 12:40 (must be finishing his cap of coffee for 2minutes).
My red flags 🚩
- Just wrapping everything in try-catch doesn’t guarantee that the eval problem is magically gone (look at the fix closely)
- Not a single test was touched or created for this
- Review process was odd (2 people from Vercel team approved the PR).
- Where are all smart bots that supposed to check if the fix is valid?
- Where are all the React/Meta security experts to confirm that it’s safe to use it now?
- Public is also look to shy to ask
Silence…
If it’s the level of Mag 7 engineering sorry folks but we’re doomed.
Out of topic but related let’s take a look on the world of CVE’s. I crafted the report with the vibe coded React btw (no server components!!!) 😘
The state of the CVEs (also the report is available by direct link from here):
Conclusion
The Cloud adaption continues and the attacks vector follows it. More and more hackers’re targeting main Cloud providers and their Cloud infrastructure. Long story short the CVEs are on the rise since 2013 and it gets exponential. Some of them will already never be fixed (like 20% at the moment). Thanks to vibe coding it’s just not enough eyes to check all the petabytes of code (generated by your AI-agent of choice) properly enough. But surely there are tons of such vulnerabilities exist in the wild just waiting for someone to be exploited.
Until the next one,
VR