React 19 useCallback Stale Closures Can Leak Tenant Data in Multi-Tenant Apps
A developer shipping a multi-tenant AI dashboard discovered that React 19's useCallback memoization can cause stale closures that leak one tenant's data into another tenant's API calls. The bug surfaced in production when rapid tenant switches occurred while async AI requests were still in-flight, resulting in Tenant B's Claude API calls inadvertently using Tenant A's system prompts. Although the dependency array correctly lists tenantId, it only guards against stale values at render time and cannot cancel or correct closures already captured during ongoing async operations. The issue is particularly hard to catch because it leaves no TypeScript errors, no failed requests, and no visible staging-environment symptoms. In SaaS applications, this silent timing flaw constitutes a data isolation violation that can affect hundreds of tenant accounts concurrently.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.


Discussion (0)
Log in to join the discussion and vote.
Log in