[tinco]

Unsafe deserialization is a very 2010 Ruby on Rails sort of vulnerability. It is strangely interesting that such a vulnerability was introduced so late in the lifetime of these frameworks. It must be a very sneaky vulnerability given how cautious we have become around deserialization since then.

[Tomuus]

The React Server Components wire format (Flight) is relatively novel and very new (it has existed in React stable for just a year). This is not a simple JSON parsing bug.

[tinco]

The rails bugs weren't about Json parsing, they were deserializing into Ruby objects of classes that had side effects, and those side effects led to RCE possibilities. Since those happened, you'll find any deserialization library, especially in dynamic languages, will have a safe (or conversely unsafe) deserialize function to make it more explicit that there's risks involved.

[LunaSea]

I'm willing to bet that this is linked to the magic __proto__ object namespace in JavaScript

[jazzypants]

You win!