zlacker

[parent] [thread] 5 comments
1. Alread+(OP)[view] [source] 2025-12-05 16:41:29
the cve isn't a zero day though how come cloudflare werent at the table for early disclosure?
replies(2): >>flamin+J3 >>ascorb+Zf3
2. flamin+J3[view] [source] 2025-12-05 16:58:22
>>Alread+(OP)
Do you have a public source about an embargo period for this one? I wasn't able to find one
replies(2): >>Pharao+Zb >>charci+If
◧◩
3. Pharao+Zb[view] [source] [discussion] 2025-12-05 17:33:08
>>flamin+J3
https://react.dev/blog/2025/12/03/critical-security-vulnerab...

Privately Disclosed: Nov 29 Fix pushed: Dec 1 Publicly disclosed: Dec 3

replies(1): >>drysar+6d
◧◩◪
4. drysar+6d[view] [source] [discussion] 2025-12-05 17:38:43
>>Pharao+Zb
Then even in the worst case scenario, they were addressing this issue two days after it was publicly disclosed. So this wasn't a "rush to fix the zero day ASAP" scenario, which makes it harder to justify ignoring errors that started occuring in a small scale rollout.
◧◩
5. charci+If[view] [source] [discussion] 2025-12-05 17:49:51
>>flamin+J3
Considering there were patched libraries at the time of disclosure, those libraries' authors must have been informed ahead of time.
6. ascorb+Zf3[view] [source] 2025-12-06 20:09:21
>>Alread+(OP)
Cloudflare did have early access, and had mitigation in place from the start. The changes that were being rolled out were in response to ongoing attempts to bypass those.

Disclosure: I work at Cloudflare, but not on the WAF

[go to top]