Snack Pack: React RSC Emergency: Stop Everything & Patch Now

You are viewing the Newsletter Archive. Published Wednesday Dec 10, 2025
← Back to all issues

A Tasty Treats NEWSLETTER for Web Developers

Issue #59:

React RSC vulnerability goes DEFCON 1 — you really need to upgrade
FizzBuzz in pure CSS, because reality is officially optional now
22 fresh CSS features dropped and your layout skills are already obsolete
Should we have skipped JSON entirely and gone straight to binary?
Optical illusions for when your brain has already melted from patching servers

BREAKING NEWS

If you have not heard yet, a critical vulnerability in React Server Components was found. UPGRADE RIGHT NOW. This is bad. Really really bad. This affects any server using RSC's including Next.js.

For a detailed timeline of what happened see this article by wiz.

This vulnerability is being actively exploited in the wild. For a deep dive into how servers are being PWNED see this article by wiz as well.

TLDR: Just read this whole thing and stop trying to "save time". This is really bad and you should understand the impact. This is a pre-authentication remote code execution vulnerability (CVE score of 10!!). Every single version of React since v19.0.0 and every single version of Next.js since 14.3.0-canary.77 is vulnerable.

Pre-authentication means middleware will not save you, the exploit happens before any possible auth code runs
Remote code execution is the worse possible type of vulnerability - an attacker can execute code ON YOUR SERVER, they can steal sensitive environment variables, crash the server, move laterally through your network...
The POC (proof of concept) that was released shows just how bad this is, a single POST request sent to a vulnerable React / Next.js server will exploit it
All of the major hosting providers (Vercel, AWS, Microsoft, Cloudflare, Fastly, Akamai, F5, Google, Deno, Netlify, Railway, Fly, and others) released WAF (web application firewall) block rules of the attack before the patch was released so you might be protected if you do not upgrade, but these WAF rules are being bypassed in the wild as well.

Stay safe out there. Keep your packages up to date and stop writing vulnerable object access code.

-CJ

Fizz Buzz in CSS

FROM CJ

CSS is becoming more and more capable... Susam shows us how to do Fizz Buzz in pure CSS!

Do's and Don'ts of useEffectEvent in React

CJ'S LINK

useEffectEvent was released in v19.2 of React and allows us to extract non-reactive logic from Effects. This article breaks down how it works and how to use it.

CSS Wrapped 2025

THIS IS CJ'S NEWSLETTER NOW

The chrome dev team recaps 22 new CSS and UI features that landed on the web platform.

In 1995, a Netscape employee wrote a hack in 10 days that now runs the Internet

IF YUOU'RE READING THIS SAY THX TO CJ ON X

A quick recap of how it all started. JS was created 30 years ago!

just for fun:

Optical Toys

fun PROVIDED by KAITLIN

Optical illusions and brain bending toys

The Feed

New videos 3×/week

The Home Server / Synology Show

Reacting to the Weird + Creative Corners of the Web

TypeScript on the GPU with TypeGPU creator Iwo Plaza

Gift Guide For Devs | Our Favorite Things

CJ's CORNER

Advent of Code | Day 3 and Day 4 Explained | JavaScript/TypeScript

Advent of Code | Day 1 and Day 2 Explained | JavaScript/TypeScript

All Hail The Algorithm

Some good stuff™ from the socials

Dmitrii Kovanikov

@ChShersh

JSON over network was a mistake.

We should’ve stuck to binary encoding and just improve the tooling to view binary data in a human-readable format.

7:15 AM • Dec 3, 2025

146

Retweets

4695

Likes

Read 539 replies

Dmitrii thinks we should have skipped JSON and went straight to binary.

SHAMELESS PLUG

Sentry built AI straight into their parts where teams lose time, turning existing data into instant context — it’s now available to all Sentry users.

READ MORE