These wiz.io blog posts should be banned from HN; AFAICT, they're AI generated. Here's the original post with the details: https://react.dev/blog/2025/12/03/critical-security-vulnerab... - the vulnerability was not found by a Wiz employee at all, and the Wiz article (unlike the react.dev article) does not provide any meaningful technical information.
The important part to know:
- Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.
- The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack
- Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.
What is the "tell"? I'm not saying they are or aren't, but... people say this about literally everything now and it's typically some flimsy reasoning like "they used a bullet point". I don't see anything in particular that makes me think ai over a standard template some junior fills out.
>the vulnerability was not found by a Wiz employee at all
I've re-read the Wiz article a few times. Maybe I'm just dumb, but where did Wiz claim to have found this vulnerability?
Hackernews' submission guidelines clearly state: "Please submit the original source. If a post reports on something found on another site, submit the latter." [0]
The Wiz post has significantly changed since it was first published (and how it looked when first posted to HN), FYI -- see [1]. When it was published, it was a summary of the React announcement, and was somehow longer than the original and yet provided less useful information than the original.
In any case, the "tell" is the syntactic structure (as Chomsky would say) and certain phrases used in the post.
>in case you aren't aware as to where to find them
The guidelines are linked at the bottom of every page, and directly underneath the comment box on new accounts. I also, perhaps surprisingly, know how to google "hn guidelines". Or ask chatgpt. Or reply "where's that piece of information from?".
>I think that's a doubly reasonable thing to do, given that your account is new, too.
People link the guidelines and, like, wikipedia to accounts that are 10 years old with 30,000 karma. It's a weird quirk of HN.
If you're talking to someone in real life, or professional emails, or whatever and you provide citations for commonly known things/definitions/etc.... you're being condescending.
> If you're talking to someone in real life, or professional emails, or whatever and you provide citations for commonly known things/definitions/etc.... you're being condescending.
If you're commenting on a public forum and you provide citations for commonly known things/definitions/etc., you're supplying the source of your claims for people who may be unaware. You are not the only reader of their comment (nor this one), even if it is in direct reply to yours.
You're missing the point. You shouldn't take it personally.
> Assuming everyone is an idiot who a) doesn't know something common and b) isn't able to figure out how to google it and c) isn't able to figure out how to say "where's that from?" in a reply
They are implied when someone feels like they need to cite commonly known, easily found, and easily asked about stuff. That’s like the whole reason why it’s condescending
I'm aware that this is your perspective but you should be aware that it is your subjective opinion. Their intention does not appear to be condescending. They did not assume or imply any of those things. Your anger is misplaced with that individual; they didn't hurt you.
Dear jfindper,
I hope this professional email finds you well.
Would you mind reading about HN's approach to comments and site guidelines?
https://news.ycombinator.com/newswelcome.html
Please don't fulminate. Please don't sneer, including at the rest of the community.
Kind regards,
A. Webshitter
When I saw "WIZ Research - Critical Vulnerabilities in React and Next.js" on the big image banner, I immediately thought that Wiz found the vulnerability.
When Reuters has an article that says "Reuters Business - Interest rates going up", do you think Reuters made the interest rates go up themselves or that they are reporting on the interest rates?
Reuters isn’t a bank. Wiz is a security company so they have a greater responsibility to distinguish between their own original work and discoveries made by other researchers.
presentation and formatting aside the constant attempts to manufacture legitimacy and signal urgency are a classic tell. everything is "near-100%" reliable, urgent, critical, reproducible, catastrophic. siren emoji
>Because author says it, it doesn't mean that it is true.
And because random HNer says it is ai doesn't mean it is ai.
>But still, is it so important?
Not to me, no. If the information is useful/entertaining/etc., I don't really care. But having to read "it's ai!" comments on literally every article/blog posted for the next 10 years is going to be super annoying. Especially if the reasoning provided is "they used the word critical". At least you pointed to something kind of interesting with the quotation marks (although, certainly not definitive of anything), rather than saying some extremely common word = ai.
So smart quotes is now an LLM tell? You know that a lot of people write in word processors that automatically replace standard quotes with smart quotes (like, say, MS Word), and that these word processors can then export HTML straight into your block or preserve the smart quotes across a copy & paste? Several blog WYSIWYG editors will also directly insert them as well.
The document doesn't have both in it. It's possible it was edited, but someone else in the thread posted the archive.org original version, and it also doesn't have smart quotes:
(Note also that you can end up with mismatched quotes if you paste in a segment of text from some other source that uses them, which is pretty common in journalism for a fast-changing story.)
>Same way if you read an article full of typos you lose trust in it
Not for long! This seems like this will soon be the only way to put something on the internet without people rabidly saying its ai (at least for a few weeks, until people start prompting for typos to be included).
Hey mmsc, first of all - the blogs are not AI Generated!
Second of all, the blog did add more information
"In our experimentation, exploitation of this vulnerability had high fidelity, with a near 100% success rate and can be leveraged to a full remote code execution. The attack vector is unauthenticated and remote, requiring only a specially crafted HTTP request to the target server. It affects the default configuration of popular frameworks.
"
In the end - if it helped spreading the news about this risk so teams can fix them faster, then this is our end-goal with these blog posts : )
Hey, researcher from Wiz here - we definitely didn't discover these vulns and all the credit goes to Lachlan Davidson. We have been investigating these vulns throughout the day and decided not to disclose the full extent of our conclusions or release a working exploit until more people get a chance to patch this (and as I mentioned in another comment, exploitation works out-of-the-box so you definitely should patch ASAP).
The important part to know:
- Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.
- The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack
- Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.