HackerTrans
トップ新着トレンドコメント過去質問紹介求人

orkj

no profile record

投稿

Closing Composer's Download Fallback Paths in Private Packagist

blog.packagist.com
2 ポイント·投稿者 orkj·先月·0 コメント

Malicious Checkmarx Artifacts Found in Official KICS Docker Repo and Code Ext

socket.dev
3 ポイント·投稿者 orkj·3 か月前·0 コメント

React2Shell (CVE-2025-55182/CVE-2025-66478)

react2shell.com
12 ポイント·投稿者 orkj·7 か月前·3 コメント

コメント

orkj
·7 か月前·議論
From the reporter of the React vulnerablility, Lachlan Davidson
orkj
·7 か月前·議論
very interesting to read.

However, if I am reading this correctly, your PoC falls in the category described here: https://react2shell.com/

> Anything that requires the developer to have explicitly exposed dangerous functionality to the client is not a valid PoC. Common examples we've seen in supposed "PoCs" are vm#runInThisContext, child_process#exec, and fs#writeFile.

> This would only be exploitable if you had consciously chosen to let clients invoke these, which would be dangerous no matter what. The genuine vulnerability does not have this constraint. In Next.js, the list of server functions is managed for you, and does not contain these.

Context: This is from Lachlan Davidson, the reporter of the vulnerability
orkj
·昨年·議論
Tangentially related: I have been having a ton of fun programming for the sensor watch lately: https://www.sensorwatch.net/

Granted it's far from as smart as pebble, but that battery life... ♥