I see this type of vulnerability all the time. Seen it in Java, Lua, JavaScript,... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		harrall 14 days ago \| parent \| context \| favorite \| on: RCE Vulnerability in React and Next.js I see this type of vulnerability all the time. Seen it in Java, Lua, JavaScript, Python and so on. I think deserialization that relying on blacklists of properties is a dangerous game. I think rolling your own object deserialization in a library that isn’t fully dedicated to deserialization is about as dangerous as writing your own encryption code.

int_19h 14 days ago [–]

Only if you're deserializing into objects with behavior.

ectospheno 12 days ago | [–]

What does data in a program do apart from eventually modify behavior?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact