React got hacked. It's really, really bad.

Sadly, this one isn't clickbait. React got hacked, and it's pretty bad. On December 3rd, a CVE regarding React went public, showcasing an exploit that was possible in versions 19, 19.1, 1911, and 19.2 of React. This is an exploit that allows for the server component flight protocol, which is how data is passed between the backend and the front end, to be hijacked to allow for remote code execution on the server. This is basically as bad as it gets. Not even basically. It got a 10 for the severity score in the official ZVE. Like it's

this is as bad as it gets. It's one of the worst exploits that we've ever seen in the modern web. And the story of how it was found, how it could be exploited, the people who have already been affected, and most importantly, the entire industry working together to try and prevent this from affecting users is a really impressive story. I actually chose to delay my coverage a little bit because raising awareness of the exploit itself could cause as much damage as it resolves because people knowing how to

do this exploit is scary. People like poor Eduardo have already been hacked as a result of this which is terrifying. It is worth noting that if you're on a major web provider like Cloudflare, Verscell or Netlefi that's more in the know for the React world, they have firewall mitigations that mitigate most of the risk. There is still potential they can be worked around, which is why you really, really, really should update to the latest version of React for the minor that you're on. But since Eduardo here wasn't on Verscell, he was on Hetner, he ended up getting hacked pretty bad. There is so much to dive into here from how the exploit was found to how it affects people to what we can

do to prevent things like this going forward. I have no good transition for the ad spot here. Just roll it and we'll cover the rest in a sec. I have two questions for you. First, does your app have any users? If the answer is no, you can skip this ad. But if it does, question two is, are you ready to take on your first enterprise customers? If Salesforce hit you up today and said, "Hey, we love your app. We really want to use it at the company. Can you get us set up with Octa? Just put us in touch with your IT team. Do you even have an IT team ready to go to do all of that setup?" It's obnoxious. And that's why today's sponsor is so clutch. Work OS is

the place you should start if you want to have enterprise customers. Even if not yet, if it's a plan in the future, you really should make the switch. I don't even want to think about how many potential enterprise deals we lost because we didn't have the ability to onboard those customers because we didn't have this set up right. I rolled my own offer T3 chat and I've been regretting it for a year now, which is why we just completed the move over to work OS. Yes, we actually made the move ourselves. There are so many reasons why we did this move, but honestly, the admin portal is one of the best ones. It's so easy to set up real companies on

your platform. I don't know if you had to deal with this before, but the hell of trying to onboard another company onto your offplatform is miserable, especially if you don't have it set up just right. With admin portal, you literally send them a link, they click the configure single sign on button, pick whichever identity provider they're using at their company, and you're good to go. The alternative to work OS isn't rolling your own off. The alternative to work OS is hiring a whole team of people to deal with all this crap. So, it's got to be super expensive, right? Not only is it surprisingly cheap, your first million users are free. I've been super impressed since we moved over and I bet

you will be too at swive.linkworks. There's a couple key questions I want to make sure we answer through this. How does it work? How is it found? What is affected? And how do I fix it? Excited to dive into all of these with you guys. But first, of course, we need to talk about how it works. GMA did a pretty good write up on this. The current code name for the exploit is React to shell because it lets you abuse the React protocol to get shell level execution, which is terrifying. This strange data structure is responsible for many sleepless nights this week across the

industry. This is the now infamous react to shell payload as discovered by Lachlan Davidson now widely circulating. It's a small thing, but I do love how much they are trying to get positive like credit to the person who found this. That dev could have went and abused the hell out of this and done terrible things without disclosing it. And it would have taken forever for people to even notice. I wanted to provide my point of view on the attack, how it came about, and what we're doing, as well as the lessons learned. So, that payload that he linked is this, which doesn't look too weird if you've seen