# React2Shell on TanStack Start?!? ## Метаданные - **Канал:** Jack Herrington - **YouTube:** https://www.youtube.com/watch?v=-dbvAMsRKi0 - **Дата:** 14.04.2026 - **Длительность:** 3:53 - **Просмотры:** 5,005 - **Источник:** https://ekstraktznaniy.ru/video/49680 ## Описание TanStack Start now supports React Server Components (RSCs). Does that make it vulnerable to the React2Shell exploit? No. Lets talk about how R2S works and how TanStack Start is immune. 00:00 Introduction 00:36 How React2Shell Works 02:11 Why TanStack Start Isn't Vulnerable 03:26 Outroduction ## Транскрипт ### Introduction [] TanStack Start now supports React Server Components, and before I get into a whole bunch of videos about how to use them because they're awesome, I do want to talk about one particular elephant in the room, and that's security. So, if you think to yourself, "Wait a second, haven't there been a lot of like CVEs recently, critical vulnerabilities specifically on React Server Components? Like, why would we want React Server Components in TanStack Start? Wouldn't that just make it vulnerable? " Well, the good news is that no, adding React Server Components to TanStack Start has not made it vulnerable to the React to Shell CVE. To understand why TanStack ### How React2Shell Works [0:36] Start is not vulnerable to React to Shell, we need to understand a little bit more about how React to Shell works. React to Shell is not actually a vulnerability with React Server Components. It's a vulnerability with server functions. Now, server functions are basically just API calls. You post to the server, and with Next. js, for a server function, you post to the slash endpoint. So, it's predictable as to which endpoint is going to service all server functions. Another issue is that even if you disable server functions on Next. js, that server function endpoint will still process server functions. So, even static sites that don't have server functions are actually vulnerable to React to Shell. And the third and most important reason why we have React to Shell is the flight data payload that goes to server functions that use the React Server Function mechanism. Flight data is a fantastic, cool data [snorts] format. It supports references between objects as they pass across the boundary of the data format, which is neat. It maintains referential identity, which is super powerful, but of course, the devil is in the details. The way that you can go and reference objects within other parts of the flight data payload makes it very easy for a hacker to traverse to the base methods of the JS object hierarchy and start evaluating random code, which allows you to do something like React to Shell. So, why isn't ### Why TanStack Start Isn't Vulnerable [2:11] TanStack Start vulnerable when it supports RSCs and server functions? Well, let's talk about those three things again. With Next. js, everything is routed through slash, which makes the endpoint really reliable and easy for hackers to get to. With TanStack Start, the server function endpoint relates directly to the name of the module where the server function is defined. So, you have to know specifically the URL of that particular application, which is a lot harder of a lift. Second, Next. js always has server functions on even if you don't define them. That's not the case with TanStack Start. If you don't define server functions, then we don't put any server function code into your app. And then third, and most importantly, is the data format. So, where with Next. js, you have flight data, which remains a vulnerability even today, a CVE just came out a couple of days ago, because the best that they can do is sanitize the flight data format, TanStack Start uses Seroval, which is a much more secure data format. There have been CVEs against Seroval, but they were easily permanently fixed, and none of them had the single payload attack React to Shell style vector that the flight data format has had. All right, well, I ### Outroduction [3:26] hope this helps ease your mind as you think about using React Server Components in your TanStack Start application. I can't wait to show you all the amazing things that React Server Components are capable of on TanStack Start. If you have any questions or comments, please put that in the comment section right down below. And in the meantime, if you like this video, hit that like button. If you really like the video, hit the subscribe button and click on that bell, and you'll be notified the next time a new Blue Collar Coder comes out.