zlacker

[return to "Critical RCE Vulnerabilities in React and Next.js"]
1. bri3d+c9[view] [source] 2025-12-03 16:43:02
>>gonepi+(OP)
Here's a patch diff:

https://github.com/vercel/next.js/compare/v15.0.4...v15.0.5

It looks like the fix is checking hasOwnProperty, so it's almost certainly an issue with prototype chain pollution.

◧◩
2. Edward+XS2[view] [source] 2025-12-04 12:59:21
>>bri3d+c9
Unrelated but... wow, this is... certainly some code.

      return "*" === metadata[2]
        ? moduleExports
        : "" === metadata[2]
          ? moduleExports.__esModule
            ? moduleExports.default
            : moduleExports
          : moduleExports[metadata[2]];
◧◩◪
3. bri3d+qA4[view] [source] 2025-12-04 22:00:22
>>Edward+XS2
It's generated code ("compiled" Javascript); I found it easier to read than the "main" diff in React which was (intentionally, I think?) obfuscated with additional changesets.
[go to top]