>one for tourists (requires a local SIM card only available in a specific hotel in Pyongyang).
I do not think that exists. I imagine the diplomats and other foreigners living there will have this, though.
When I was there two times (in Pyongyang, and in villages in the north east & Rason) any access to the outside world was prohibited via a network other than telephone (I could make outgoing phone calls via the hotel). Even traveling very close to the border (which they use jammers to block outside connections), my guides were annoyed when they saw I was trying to connect to the Chinese network from my phone.
The only place I saw any access "to the outside world" was in Rason (https://en.wikipedia.org/wiki/Rason_Special_Economic_Zone), where one of the casinos had a computer which could be used to access the internet (through the Chinese GFW, of course).
It seems like this vulnerability is yet another prototype pollution vulnerability.
There was a TC39 proposal a few years ago [0] that proposed to block the getting/setting of object prototypes using the bracket notation, which would have prevented this vulnerability.
At the moment, every single get/set with a square bracket, which uses untrusted data, needs to do some manual check to see whether variables contain "bad" keys like `__proto__`, `prototype,` `constructor`, and so on. This is incredibly annoying, and doesn't really fix the issue. It's possible also to freeze an object's prototype, but that causes other issues. It's also possible to use Object.create(null), and Object.hasOwn (also known as Object.prototype.hasOwnProperty), but again, this does not scale because it has to be done _every single time_.
Maybe it's time to revisit this from a language perspective, instead of continuous bandaid fixes for this language-specific vulnerability (a similar language-specific vulnerability exists in Python called class pollution, but it's .. extremely uncommon).
That being said, it _will_ happen if you use your own merge() function like the TC-39 proposal demonstrates, but its because you are using the [] syntax to implement it which can affect __proto__
Side note, JSON.parse() also doesn't let you set the actual prototype:
On Node.js there are some hardening flags like --disable-proto=throw and --frozen-intrinsics to mitigate/crash on prototype pollution, and to prevent dynamic evals with --disallow-code-generation-from-strings - however, Vercel doesn't seem to support custom node runtime options.
These wiz.io blog posts should be banned from HN; AFAICT, they're AI generated. Here's the original post with the details: https://react.dev/blog/2025/12/03/critical-security-vulnerab... - the vulnerability was not found by a Wiz employee at all, and the Wiz article (unlike the react.dev article) does not provide any meaningful technical information.
The important part to know:
- Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.
- The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack
- Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.
What is the "tell"? I'm not saying they are or aren't, but... people say this about literally everything now and it's typically some flimsy reasoning like "they used a bullet point". I don't see anything in particular that makes me think ai over a standard template some junior fills out.
>the vulnerability was not found by a Wiz employee at all
I've re-read the Wiz article a few times. Maybe I'm just dumb, but where did Wiz claim to have found this vulnerability?
Hackernews' submission guidelines clearly state: "Please submit the original source. If a post reports on something found on another site, submit the latter." [0]
The Wiz post has significantly changed since it was first published (and how it looked when first posted to HN), FYI -- see [1]. When it was published, it was a summary of the React announcement, and was somehow longer than the original and yet provided less useful information than the original.
In any case, the "tell" is the syntactic structure (as Chomsky would say) and certain phrases used in the post.
>in case you aren't aware as to where to find them
The guidelines are linked at the bottom of every page, and directly underneath the comment box on new accounts. I also, perhaps surprisingly, know how to google "hn guidelines". Or ask chatgpt. Or reply "where's that piece of information from?".
>I think that's a doubly reasonable thing to do, given that your account is new, too.
People link the guidelines and, like, wikipedia to accounts that are 10 years old with 30,000 karma. It's a weird quirk of HN.
If you're talking to someone in real life, or professional emails, or whatever and you provide citations for commonly known things/definitions/etc.... you're being condescending.
> If you're talking to someone in real life, or professional emails, or whatever and you provide citations for commonly known things/definitions/etc.... you're being condescending.
If you're commenting on a public forum and you provide citations for commonly known things/definitions/etc., you're supplying the source of your claims for people who may be unaware. You are not the only reader of their comment (nor this one), even if it is in direct reply to yours.
You're missing the point. You shouldn't take it personally.
> Assuming everyone is an idiot who a) doesn't know something common and b) isn't able to figure out how to google it and c) isn't able to figure out how to say "where's that from?" in a reply
They are implied when someone feels like they need to cite commonly known, easily found, and easily asked about stuff. That’s like the whole reason why it’s condescending
I'm aware that this is your perspective but you should be aware that it is your subjective opinion. Their intention does not appear to be condescending. They did not assume or imply any of those things. Your anger is misplaced with that individual; they didn't hurt you.
Dear jfindper,
I hope this professional email finds you well.
Would you mind reading about HN's approach to comments and site guidelines?
https://news.ycombinator.com/newswelcome.html
Please don't fulminate. Please don't sneer, including at the rest of the community.
Kind regards,
A. Webshitter
When I saw "WIZ Research - Critical Vulnerabilities in React and Next.js" on the big image banner, I immediately thought that Wiz found the vulnerability.
When Reuters has an article that says "Reuters Business - Interest rates going up", do you think Reuters made the interest rates go up themselves or that they are reporting on the interest rates?
Reuters isn’t a bank. Wiz is a security company so they have a greater responsibility to distinguish between their own original work and discoveries made by other researchers.
presentation and formatting aside the constant attempts to manufacture legitimacy and signal urgency are a classic tell. everything is "near-100%" reliable, urgent, critical, reproducible, catastrophic. siren emoji
>Because author says it, it doesn't mean that it is true.
And because random HNer says it is ai doesn't mean it is ai.
>But still, is it so important?
Not to me, no. If the information is useful/entertaining/etc., I don't really care. But having to read "it's ai!" comments on literally every article/blog posted for the next 10 years is going to be super annoying. Especially if the reasoning provided is "they used the word critical". At least you pointed to something kind of interesting with the quotation marks (although, certainly not definitive of anything), rather than saying some extremely common word = ai.
So smart quotes is now an LLM tell? You know that a lot of people write in word processors that automatically replace standard quotes with smart quotes (like, say, MS Word), and that these word processors can then export HTML straight into your block or preserve the smart quotes across a copy & paste? Several blog WYSIWYG editors will also directly insert them as well.
The document doesn't have both in it. It's possible it was edited, but someone else in the thread posted the archive.org original version, and it also doesn't have smart quotes:
(Note also that you can end up with mismatched quotes if you paste in a segment of text from some other source that uses them, which is pretty common in journalism for a fast-changing story.)
>Same way if you read an article full of typos you lose trust in it
Not for long! This seems like this will soon be the only way to put something on the internet without people rabidly saying its ai (at least for a few weeks, until people start prompting for typos to be included).
Hey mmsc, first of all - the blogs are not AI Generated!
Second of all, the blog did add more information
"In our experimentation, exploitation of this vulnerability had high fidelity, with a near 100% success rate and can be leveraged to a full remote code execution. The attack vector is unauthenticated and remote, requiring only a specially crafted HTTP request to the target server. It affects the default configuration of popular frameworks.
"
In the end - if it helped spreading the news about this risk so teams can fix them faster, then this is our end-goal with these blog posts : )
Hey, researcher from Wiz here - we definitely didn't discover these vulns and all the credit goes to Lachlan Davidson. We have been investigating these vulns throughout the day and decided not to disclose the full extent of our conclusions or release a working exploit until more people get a chance to patch this (and as I mentioned in another comment, exploitation works out-of-the-box so you definitely should patch ASAP).
Still the 'r' parameters (reporting) in the DMARC record are optional, and there is no indication their presence bestows additional legitimacy to a sender.
(For me, it's sort-of the opposite: there are fun spam patterns to be found in DMARC records with reporting addresses!)
Are these documented anywhere? A full month with no response at all puts you firmly in “responsible disclosure” territory if they are not already publicly known. I'm pretty sure DayJob uses keycloak (or at least is assessing it - I'm a bit removed from that side of things these days) so that information could be pertinent to us.
Why would the company need to figure it out from commit hashes? It's all public, in public GitHub repositories, with the person's personal GitHub account: https://github.com/auth0/nextjs-auth0/pull/2381
On the one hand, you're right, it is distasteful, I completely agree. On the other hand, GitHub and Google and the public domain internet isn't everybody's CV that they can pick and choose which of their actions are publicised, tailored towards only their successes.
>First, the typical AI-powered reporter, especially one just pasting GPT output into a submission form, neither knows enough about the actual codebase being examined nor understands the security implications well enough to provide insight that projects need.
How ironic, considering every time I've reported a complicated issue to a program on HackerOne, the triggers have completely rejected them because they do not understand the complicated codebase that they are triaging for.
I do not think that exists. I imagine the diplomats and other foreigners living there will have this, though.
When I was there two times (in Pyongyang, and in villages in the north east & Rason) any access to the outside world was prohibited via a network other than telephone (I could make outgoing phone calls via the hotel). Even traveling very close to the border (which they use jammers to block outside connections), my guides were annoyed when they saw I was trying to connect to the Chinese network from my phone.
The only place I saw any access "to the outside world" was in Rason (https://en.wikipedia.org/wiki/Rason_Special_Economic_Zone), where one of the casinos had a computer which could be used to access the internet (through the Chinese GFW, of course).