mary 🐇
10.0 CVE on React and it's literally just object prototype pollution that can be used for RCE, what are we doing man
Dec 4 at 12:37amWeb
Show threadmary 🐇Dec 4
not even anything notable, I'm really surprised it hadn't gotten caught much earlier. like sure RSC doesn't have Facebook's oversight (some of the React team members wouldn't have moved to Vercel otherwise) but come on man why aren't there more people scrutinizing the wire format
Show threadvriska, thief of light Dec 4
@mary_ext oh someone found the actual bug? not surprised it's been hours but i hadn't seen details
Show threadmary 🐇Dec 4
@leo I couldn't sleep so two hours after the vuln reveal I dug into the diff, it was really obvious. I figured out how it could've worked but I've yet to find the place where the second function call could've happened (Function("...")())