zlacker

[parent] [thread] 3 comments
1. rvnx+(OP)[view] [source] 2025-12-03 17:07:42
It's easier for a bad actor to get an exploit, than for an operator to test his own site if the upgrade succeded
replies(1): >>_pdp_+a1
2. _pdp_+a1[view] [source] 2025-12-03 17:12:57
>>rvnx+(OP)
An operator might not be able to upgrade at all!

Along the fixes, the advisories now need to contain detailed workarouds, firewall rules and other adhoc solutions to ensure they get quickly deployed.

replies(2): >>rvnx+02 >>seanw2+bk
◧◩
3. rvnx+02[view] [source] [discussion] 2025-12-03 17:16:30
>>_pdp_+a1
A guide for mitigation is way more useful so we can back port only the fix and test if the fix works.
◧◩
4. seanw2+bk[view] [source] [discussion] 2025-12-03 18:42:10
>>_pdp_+a1
I tend to agree. Cloudflare and Vercel were able to mitigate in the form of WAF rules, but it's not immediately clear what a user or vendor can do to implement mitigations themselves other than updating their dependencies (quickly!).

IMO the CVE announcement could have been better handled. This was a level 10. If other mitigations can are viable and you know about them, you have a responsibility to disclose them in order to best protect the safety of the billions of users of React applications.

I wonder how many applications are still vulnerable.

[go to top]