HackerTrans
TopNewTrendsCommentsPastAskShowJobs

orkj

no profile record

Submissions

Closing Composer's Download Fallback Paths in Private Packagist

blog.packagist.com
2 points·by orkj·पिछला माह·0 comments

Malicious Checkmarx Artifacts Found in Official KICS Docker Repo and Code Ext

socket.dev
3 points·by orkj·3 माह पहले·0 comments

React2Shell (CVE-2025-55182/CVE-2025-66478)

react2shell.com
12 points·by orkj·7 माह पहले·3 comments

comments

orkj
·7 माह पहले·discuss
From the reporter of the React vulnerablility, Lachlan Davidson
orkj
·7 माह पहले·discuss
very interesting to read.

However, if I am reading this correctly, your PoC falls in the category described here: https://react2shell.com/

> Anything that requires the developer to have explicitly exposed dangerous functionality to the client is not a valid PoC. Common examples we've seen in supposed "PoCs" are vm#runInThisContext, child_process#exec, and fs#writeFile.

> This would only be exploitable if you had consciously chosen to let clients invoke these, which would be dangerous no matter what. The genuine vulnerability does not have this constraint. In Next.js, the list of server functions is managed for you, and does not contain these.

Context: This is from Lachlan Davidson, the reporter of the vulnerability
orkj
·पिछला वर्ष·discuss
Tangentially related: I have been having a ton of fun programming for the sensor watch lately: https://www.sensorwatch.net/

Granted it's far from as smart as pebble, but that battery life... ♥