zlacker

[return to "RCE Vulnerability in React and Next.js"]
1. benmmu+bg[view] [source] 2025-12-03 17:09:15
>>rayhaa+(OP)
I suspect the commit to fix is:

https://github.com/facebook/react/commit/bbed0b0ee64b89353a4...

and it looks like its been squashed with some other stuff to hide it or maybe there are other problems as well.

this pattern appears 4 times and looks like it is reducing the functions that are exposed to the 'whitelist'. i presume the modules have dangerous functions in the prototype chain and clients were able to invoke them.

      -  return moduleExports[metadata.name];
      +  if (hasOwnProperty.call(moduleExports, metadata.name)) {
      +    return moduleExports[metadata.name];
      +  }
      +  return (undefined: any);
◧◩
2. hackho+kl[view] [source] 2025-12-03 17:31:09
>>benmmu+bg
It could also be https://github.com/facebook/react/commit/7dc903cd29dac55efb4... ("This also fixes a critical security vulnerability.")
◧◩◪
3. nine_k+qo[view] [source] 2025-12-03 17:46:32
>>hackho+kl
It does the same thing here, too: https://github.com/facebook/react/commit/7dc903cd29dac55efb4...
[go to top]