HackerTrans
TopNewTrendsCommentsPastAskShowJobs

gonepivoting

no profile record

Submissions

Critical RCE Vulnerabilities in React and Next.js

wiz.io
134 points·by gonepivoting·7 เดือนที่ผ่านมา·77 comments

comments

gonepivoting
·7 เดือนที่ผ่านมา·discuss
Hey, researcher from Wiz here - we definitely didn't discover these vulns and all the credit goes to Lachlan Davidson. We have been investigating these vulns throughout the day and decided not to disclose the full extent of our conclusions or release a working exploit until more people get a chance to patch this (and as I mentioned in another comment, exploitation works out-of-the-box so you definitely should patch ASAP).
gonepivoting
·7 เดือนที่ผ่านมา·discuss
Just to simplify this - our exploitation tests so far have shown that a standard Next.js application created via create-next-app and built for production is vulnerable to CVE-2025-66478 without any specific code modifications by the developer - so this is essentially exploitable out-of-the-box.
gonepivoting
·8 เดือนที่ผ่านมา·discuss
We're monitoring this activity as well and updating the list of affected packages here: https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-...

Currently reverse engineering the malicious payload and will share our findings within the next few hours.