top | item 46137170

(no title)

Basically, JavaScript should not be running on servers.

Vulnerabilities caused by shoddy JS are a lot more impactful to a server since multiple users will be served by the same runtime instance.

discuss

cyberax|2 months ago

It's not JavaScript by itself. It's unsafe coding practices that blend production and development code.

The bug here is in the hot reloading code. It should not be enabled anywhere but on developers' machines.

acdha|2 months ago

It's not entirely JavaScript but it is partially due to some of the language's history and culture: prototype pollution wouldn't be possible in every other language and not everyone has culture around things like decoding payloads in an exploitable manner (e.g. in the Python world some people used to decode pickled objects but it was always frowned upon; the Java world has had debates over the years about this). The big one which is unique to JavaScript is the culture around client-side execution and mixing code running between the two environments, which means you have a lot of machinery setup to execute code on the server and/or clients, making it both easy to have confusion around the execution context in ways which have been exploited and encouraging people to do things like ship complex objects between the two which programmers using other backend languages wouldn't consider because they never had the possibility of running directly in the browser.

cluckindan|2 months ago

Not entirely true. The bug is also in the dev server, but primarily the exploitable vulnerability is in apps built for production.

tempaccount420|2 months ago

It's never JavaScript itself, but somehow it's almost always JavaScript code...