top | item 43450032

(no title)

Yeah, "obvious" critical vulnerability that is easy to use against any Nextjs app, spend 2 weeks making a fix and then announce on Friday evening that all Nextjs apps are free game. Lovely. Luckily doens't affect any of the sites I'm responsible for, since I hated middleware and most of the Nextjs "magic" features already.

discuss

jonny_eh|11 months ago

> spend 2 weeks making a fix

They didn't spend 2 weeks making a fix, that took a few hours. It took them two weeks to look at the report.

notnullorvoid|11 months ago

It took them a week to respond about the initial report for v12.0.0, the exploit was so trivial and obvious that even that should have been a warning to go check newer versions themselves, even if they hadn't seen the follow up message that had been sent a few days prior showing that the vulnerability was present in later versions.

slowtrek|11 months ago

"Luckily doesn't affect any of the sites I'm responsible for, since I hated middleware and most of the Nextjs "magic" features already."

This is probably the most important comment. You don't have to use Next.js, and if you do have to, you don't have to use everything they have in it.

BoorishBears|11 months ago

I don't think that's the takeaway.