undefined | Better HN

0 pointspier251y ago0 comments

> no evidence of in the wild exploitation

That's how zero day exploits work. People keep it quiet so they can keep exploiting it.

0 comments

Sure, but its also how vulns not currently being exploited works.

Good security is about risk management. For a vuln not thought to be exploited, an extra week or two is a reasonable cost/benefit to ensure a proper job was done fixing it and making sure nobody has to pull an all nighter.

If they sat on it for a year, that would be a different story.

pier25OP1y ago

It's impossible to know how many people knew about it before it was reported. It's also trivial to add a header to bypass middleware. Apparently it was there since v12 released in 2021 so god only knows how much damage this has caused already.

And let's not forget there are still many unpatched Next self hosted apps, right now.

I can't believe how anyone can downplay this in any way.

j / k navigate · click thread line to collapse