Replies: 1 comment
-
|
Server functions would be a possible target, but on the way from the client to the server, we cleanly serialize and deserialize over static JSON, which means that no code is directly evaluated like it was in RSC. However, on the way from the server to the client, we currently use eval, which could be exploited if someone was able to successfully perform a man-in-the-middle attack to run arbitrary code on the client. However, at that point, they could also manipulate any other response to contain malicious code, so the vulnerability was not deemed too important. The workaround is currently to not use server functions in SolidStart. The issue is known to the developers and will hopefully be fixed in v2, which is currently being prepared. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
In light of the recent React2Shell CVE-2025-55182 exploit, we should also check if similar exploits are possible in the isomorphic components of solid-start.
Beta Was this translation helpful? Give feedback.
All reactions