TanStack Start now supports React Server Components (RSCs). Does that make it vulnerable to the React2Shell exploit? No. Lets talk about how R2S works and how TanStack Start is immune.

00:00 Introduction
00:36 How React2Shell Works
02:11 Why TanStack Start Isn't Vulnerable
03:26 Outroduction

Jack Herrington

TanStack Start's new React Server Components support does not expose apps to the React2Shell CVE that affects Next.js. Three key reasons explain why: TanStack Start routes server functions to module-specific URLs (not a predictable slash endpoint), only includes server function code when explicitly defined, and uses the Seroval data format instead of React's flight data format. Flight data's object reference traversal mechanism is the root cause of React2Shell, and Seroval avoids this attack vector entirely. Past CVEs against Seroval were permanently fixed without the single-payload attack surface that flight data has.

React2Shell on TanStack Start?!?

<p>Nice another bonus to using Start. Like you needed more reasons to use it lol it’s already awesome!!</p>
