zlacker

[parent] [thread] 3 comments
1. bri3d+(OP)[view] [source] 2025-12-03 16:43:02
Here's a patch diff:

https://github.com/vercel/next.js/compare/v15.0.4...v15.0.5

It looks like the fix is checking hasOwnProperty, so it's almost certainly an issue with prototype chain pollution.

replies(2): >>cybera+ca >>Edward+LJ2
2. cybera+ca[view] [source] 2025-12-03 17:25:59
>>bri3d+(OP)
I think this is the fix for the React Server: https://github.com/facebook/react/pull/35277/files

It looks like it only affects dynamic reloading? If I understand correctly, the client can just politely ask the server to load arbitrary code, and the server agrees.

This should never be enabled in production in the first place. I'm not surprised that they are fundamentally vulnerable, and this is likely not going to be the last RCE in this part of the code.

3. Edward+LJ2[view] [source] 2025-12-04 12:59:21
>>bri3d+(OP)
Unrelated but... wow, this is... certainly some code.

      return "*" === metadata[2]
        ? moduleExports
        : "" === metadata[2]
          ? moduleExports.__esModule
            ? moduleExports.default
            : moduleExports
          : moduleExports[metadata[2]];
replies(1): >>bri3d+er4
◧◩
4. bri3d+er4[view] [source] [discussion] 2025-12-04 22:00:22
>>Edward+LJ2
It's generated code ("compiled" Javascript); I found it easier to read than the "main" diff in React which was (intentionally, I think?) obfuscated with additional changesets.
[go to top]