zlacker

[parent] [thread] 2 comments
1. benmmu+(OP)[view] [source] 2025-12-03 17:09:15
I suspect the commit to fix is:

https://github.com/facebook/react/commit/bbed0b0ee64b89353a4...

and it looks like its been squashed with some other stuff to hide it or maybe there are other problems as well.

this pattern appears 4 times and looks like it is reducing the functions that are exposed to the 'whitelist'. i presume the modules have dangerous functions in the prototype chain and clients were able to invoke them.

      -  return moduleExports[metadata.name];
      +  if (hasOwnProperty.call(moduleExports, metadata.name)) {
      +    return moduleExports[metadata.name];
      +  }
      +  return (undefined: any);
replies(1): >>hackho+95
2. hackho+95[view] [source] 2025-12-03 17:31:09
>>benmmu+(OP)
It could also be https://github.com/facebook/react/commit/7dc903cd29dac55efb4... ("This also fixes a critical security vulnerability.")
replies(1): >>nine_k+f8
◧◩
3. nine_k+f8[view] [source] [discussion] 2025-12-03 17:46:32
>>hackho+95
It does the same thing here, too: https://github.com/facebook/react/commit/7dc903cd29dac55efb4...
[go to top]