Hacker News: smlx

New comment by smlx in "Next.js version 15.2.3 has been released to address a security vulnerability"

smlx — Sun, 23 Mar 2025 00:50:43 +0000

next.js has a history of similar vulnerabilities.

I was made aware recently of a vulnerability that was fixed by this patch: https://github.com/vercel/next.js/pull/73482/files

In this vulnerability, adding a 'x-middleware-rewrite: https://www.example.com' header would cause the server to respond with the contents of example.com. i.e. the worlds dumbest SSRF.

Note that there is no CVE for this vulnerability, nor is there any clear information about which versions are affected.

Also note that according to the published support policy for nextjs only "stable" (15.2.x) and "canary" (15.3.x) receive patches. But for the vulnerability reported here they are releasing patches for 14.x and 13.x apparently?

https://github.com/vercel/next.js/blob/canary/contributing/r...

IMO you are playing with fire using nextjs for anything where you care about security and maintenance. Which seems insane for a project with 130k+ Github stars and supported by a major company like vercel.

New comment by smlx in "Kubesafe: Never run Kubernetes commands on the wrong cluster again"

smlx — Sat, 21 Sep 2024 08:07:38 +0000

I came up with a simpler solution that keeps kube contexts separated per terminal.

https://smlx.dev/posts/kubectl-global-state/

New comment by smlx in "Reverse-engineering an encrypted IoT protocol"

smlx — Wed, 14 Feb 2024 17:59:52 +0000

I have never heard of ImHex before. Thanks, I'll take a look!

Reverse-engineering an encrypted IoT protocol

smlx — Wed, 14 Feb 2024 16:34:22 +0000

Article URL: https://smlx.dev/posts/goodwe-sems-protocol-teardown/

Comments URL: https://news.ycombinator.com/item?id=39371831

Points: 232

# Comments: 40

New comment by smlx in "Blocking Kiwifarms"

smlx — Sun, 04 Sep 2022 00:31:41 +0000

Imagine I own a bunch of billboards around town. A customer comes to me with cash and wants to display someone's personal details and a message encouraging harassment on my billboards.

Do I have to wait for law enforcement to stop me from displaying their content? Or can I, as a private company, make a judgement call and decline their business?

I think the answer here is pretty obvious and your attempt at passing the buck is pathetically weak.

New comment by smlx in "JiraCLI"

smlx — Fri, 12 Aug 2022 12:26:28 +0000

I wrote a tool that allows me to avoid the terrible Tempo web UI - you might be interested: https://github.com/smlx/jiratime

New comment by smlx in "Gaming on Wayland"

smlx — Wed, 15 Dec 2021 01:10:58 +0000

Not if you use screen scaling.

New comment by smlx in "Gaming on Wayland"

smlx — Wed, 15 Dec 2021 01:10:06 +0000

More accurately, the developers need to a) fix the buggy implementation of the Gnome-specific protocol they currently use, and b) switch to the standard screensharing protocol.

https://github.com/flathub/us.zoom.Zoom/pull/182#issuecommen...