@tynt.bsky.social
✨🔮✨ 🔞
19.01.2026 05:05 — 👍 1127 🔁 299 💬 15 📌 1
The art, and the artist
14.09.2025 06:17 — 👍 458 🔁 59 💬 5 📌 2
art I made for @aurawolfie.bsky.social ✨🌊!!!
19.01.2026 22:04 — 👍 380 🔁 95 💬 6 📌 0
Portrait of my reflection in the window
15.12.2025 19:38 — 👍 902 🔁 244 💬 8 📌 1
Fursona Avocado is photographed with a flash in the darkness. It stares into the camera. There is some dust floating around out of focus.
09.05.2024 00:35 — 👍 25 🔁 3 💬 1 📌 1good read 10/10 🏆
14.12.2025 21:35 — 👍 1 🔁 0 💬 0 📌 0
A chubby wooden kitty looking content, arms resting on his belly
I hope his peace is contagious
10.12.2025 15:07 — 👍 2652 🔁 918 💬 12 📌 5
a thief in the paint
12.12.2025 18:56 — 👍 563 🔁 90 💬 4 📌 0if a gamma ray burst type event happened I would simply dodge. not worried about it
11.12.2025 09:08 — 👍 34 🔁 5 💬 6 📌 1
cawm
11.12.2025 01:31 — 👍 619 🔁 127 💬 1 📌 0
BB is peak 🎩
10.12.2025 22:36 — 👍 1 🔁 0 💬 0 📌 0
10.12.2025 21:31 — 👍 1373 🔁 380 💬 7 📌 1
Do it now
10.12.2025 13:52 — 👍 3175 🔁 545 💬 17 📌 2One clarification: While the vulnerability is present regardless of Server Actions, it technically leverages Server Functions, which is a shared component in RSC's architecture.
It was the fact that other RSC features relied on Server Functions that led to every RSC app having a vulnerable endpoint
Ultimately, what you will need to check varies on the framework and architecture of your app. Different frameworks have different patterns, some more idiomatic, some with more sharp edges, but all very new and unfamiliar to most engineers.
08.12.2025 12:20 — 👍 1 🔁 0 💬 1 📌 0So just like in any backend scenario handling untrusted input, you would perform validation and other checks, inside of that server action function.
My personal opinion is that exactly what validation needs to be performed in your average React app with a Server Action, can be extremely unclear.
To answer your question about the security boundary of Server Actions: The action has to be in a file marked with the directive 'use server' which indicates it will execute on the server. The client calls the function with the arguments from a separate file. These arguments are untrusted input.
08.12.2025 12:11 — 👍 0 🔁 0 💬 1 📌 0From a dev's perspective, those are React Server Actions. Generally, most apps built in React use a mix of client and server components, with the latter benefitting from features like streaming, which use the deserializer. This vulnerability would have been present regardless of Server Actions.
08.12.2025 12:08 — 👍 1 🔁 0 💬 1 📌 0Technically, you do not need to traverse to a then-able promise. There are other vectors as well susceptible to the same lack of guard check.
The irony of it all is that the guard check was actually imported into the file but then never used in the code. Oops! 🫨
The deserializer in Flight, React's protocol for client/server communication, was missing a guard check. This allowed attackers to craft and send a malicious "chunk" object that allows for prototype pollution, ultimately resulting in a call to a then-able promise that will execute code.
08.12.2025 11:39 — 👍 1 🔁 0 💬 1 📌 0
02.12.2025 02:15 — 👍 454 🔁 67 💬 5 📌 0
and the world is richer for it 😌
01.12.2025 21:40 — 👍 3 🔁 0 💬 1 📌 0
charging for a bit
commission for @phira.bsky.social
Hi
30.11.2025 06:33 — 👍 219 🔁 21 💬 6 📌 0one of the all time songs. my soul is tuning in every time it plays.
26.10.2025 20:42 — 👍 1 🔁 0 💬 1 📌 0
skeb thanksでした!
23.10.2025 16:57 — 👍 1052 🔁 251 💬 3 📌 1
22.10.2025 10:26 — 👍 609 🔁 99 💬 8 📌 15
24.10.2025 01:51 — 👍 1003 🔁 153 💬 9 📌 0
Seasons Are Changing.
20.09.2025 19:19 — 👍 19 🔁 2 💬 0 📌 0
