[Flight Reply] Early bailout if backing entry for Blob deserialization is not a Blob#36055
Merged
eps1lon merged 2 commits intofacebook:mainfrom Mar 17, 2026
Merged
[Flight Reply] Early bailout if backing entry for Blob deserialization is not a Blob#36055eps1lon merged 2 commits intofacebook:mainfrom
eps1lon merged 2 commits intofacebook:mainfrom
Conversation
github-actions
bot
added
the
React Core Team
|
Comparing: c80a075...a46c5af Critical size changesIncludes critical production bundles, as well as any change greater than 2%:
Significant size changesIncludes any change greater than 0.2%: (No significant changes) |
unstubbable
approved these changes
Mar 17, 2026
|
Thanks for reporting this I'll take a look at it
…On Tue, Mar 17, 2026, 10:51 AM eps1lon ***@***.***> wrote:
Merged #36055 <#36055> into main.
—
Reply to this email directly, view it on GitHub
<#36055 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/B7BPWU64U3DGUFBWUDP5NQ34REUZXAVCNFSM6AAAAACWUOH5H2VHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMRTGYZTSMJSHA4TAMA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Additional security hardening to bail out early for malformed Server Action payloads.
The
$B(Blob) case inparseModelStringreturned whateverFormData.get()returned without validating its type. SinceFormData.get()returns either a string or a File/Blob, an attacker could store a large string in a FormData slot and reference it via$B, bypassing thebumpArrayCountsize guard that applies to regular string values. However, this does not lead to a real attack vector because it doesn't produce amplification. For that, it would need to be combined with regular references in nested arrays, which are covered by the array counting mitigation.As a defense-in-depth mitigation, this adds an
instanceof Blobcheck that rejects non-Blob backing entries. Bumping the array count for Blob size is not necessary because real Blobs are opaque handles — they don't expand during common operations likeJSON.stringify(which produces{}),.flat(), or.toString(). The data only materializes through explicit reads like.text()or.arrayBuffer(), and since all references to the same$BID resolve to the same object, there is no memory duplication.