All Posts
News bits
CVE-2024-4367 – Arbitrary JavaScript execution in PDF.js
CVE-2024-4367 – Arbitrary JavaScript execution in PDF.js
PDF の fontMatrix に文字列を入れて PDF.js に読み込ませることで任意コード実行が出来る脆弱性について。最新の PDF.js v4.2.67 を利用するか、isEvalSupported: falseにすることで回避できる。
CVE-2024-4367 - Arbitrary JavaScript execution in PDF.js — Codean Labs
Next.js の SSRF 脆弱性 CVE-2024-34351
Next.js の SSRF 脆弱性 CVE-2024-34351
Next.js で発覚した SSRF 脆弱性のまとめ記事。
Next.js の SSRF 脆弱性 CVE-2024-34351
Next.js を self hosting で運用しており、Sever Actions 内で redirect()を/からはじまるパスで呼んでいる場合に、http ヘッダーの host を書き換えることで self hosting な Next.js サーバーから任意の http リクエストを送信できてしまう/内部 API にリクエスト可能になる脆弱性。
著者について
Hi there. I'm hrdtbs, a frontend expert and technical consultant. I started my career in the creative industry over 13 years ago, learning on the job as a 3DCG modeler and game engineer in the indie scene.
In 2015 I began working as a freelance web designer and engineer. I handled everything from design and development to operation and advertising, delivering comprehensive solutions for various clients.
In 2016 I joined Wemotion as CTO, where I built the engineering team from the ground up and led the development of core web and mobile applications for three years.
In 2019 I joined matsuri technologies as a Frontend Expert, and in 2020 I also began serving as a technical manager supporting streamers and content creators.
I'm so grateful to be working in this field, doing something that brings me so much joy. Thanks for stopping by.