zlacker

[return to "Critical RCE Vulnerabilities in React and Next.js"]
1. bri3d+c9[view] [source] 2025-12-03 16:43:02
>>gonepi+(OP)
Here's a patch diff:

https://github.com/vercel/next.js/compare/v15.0.4...v15.0.5

It looks like the fix is checking hasOwnProperty, so it's almost certainly an issue with prototype chain pollution.

◧◩
2. cybera+oj[view] [source] 2025-12-03 17:25:59
>>bri3d+c9
I think this is the fix for the React Server: https://github.com/facebook/react/pull/35277/files

It looks like it only affects dynamic reloading? If I understand correctly, the client can just politely ask the server to load arbitrary code, and the server agrees.

This should never be enabled in production in the first place. I'm not surprised that they are fundamentally vulnerable, and this is likely not going to be the last RCE in this part of the code.

[go to top]