HackerTrans
热门最新趋势评论往期问答秀出招聘

orkj

no profile record

提交

Closing Composer's Download Fallback Paths in Private Packagist

blog.packagist.com
2 分·作者 orkj·上个月·0 评论

Malicious Checkmarx Artifacts Found in Official KICS Docker Repo and Code Ext

socket.dev
3 分·作者 orkj·3个月前·0 评论

React2Shell (CVE-2025-55182/CVE-2025-66478)

react2shell.com
12 分·作者 orkj·7个月前·3 评论

评论

orkj
·7个月前·讨论
From the reporter of the React vulnerablility, Lachlan Davidson
orkj
·7个月前·讨论
very interesting to read.

However, if I am reading this correctly, your PoC falls in the category described here: https://react2shell.com/

> Anything that requires the developer to have explicitly exposed dangerous functionality to the client is not a valid PoC. Common examples we've seen in supposed "PoCs" are vm#runInThisContext, child_process#exec, and fs#writeFile.

> This would only be exploitable if you had consciously chosen to let clients invoke these, which would be dangerous no matter what. The genuine vulnerability does not have this constraint. In Next.js, the list of server functions is managed for you, and does not contain these.

Context: This is from Lachlan Davidson, the reporter of the vulnerability
orkj
·去年·讨论
Tangentially related: I have been having a ton of fun programming for the sensor watch lately: https://www.sensorwatch.net/

Granted it's far from as smart as pebble, but that battery life... ♥