zlacker

[return to "Critical RCE Vulnerabilities in React and Next.js"]
1. bri3d+c9[view] [source] 2025-12-03 16:43:02
>>gonepi+(OP)
Here's a patch diff:

https://github.com/vercel/next.js/compare/v15.0.4...v15.0.5

It looks like the fix is checking hasOwnProperty, so it's almost certainly an issue with prototype chain pollution.

◧◩
2. Edward+XS2[view] [source] 2025-12-04 12:59:21
>>bri3d+c9
Unrelated but... wow, this is... certainly some code.

      return "*" === metadata[2]
        ? moduleExports
        : "" === metadata[2]
          ? moduleExports.__esModule
            ? moduleExports.default
            : moduleExports
          : moduleExports[metadata[2]];
[go to top]