Hackers' Pub

Syntax	Description	Examples
`"` keyword `"`	Finds the string within quotes, including spaces. Case-insensitive. (Escape quotes inside with `\"`)	`"Hackers' Pub"`
`from:` handle	Finds content written by the specified user.	`from:hongminhee` `from:hongminhee@hollo.social`
`lang:` ISO 639-1	Finds content written in the specified language.	`lang:en`
`#` tag	Finds content with the specified tag. Case-insensitive.	`#HackersPub`
condition condition	Finds content that satisfies both conditions on either side of the space (logical AND).	`"Hackers' Pub" lang:en`
condition `OR` condition	Finds content that satisfies at least one of the conditions on either side of the OR operator (logical OR).	`#HackersPub OR "Hackers' Pub" lang:en`
`(` condition `)`	Combines the operators within the parentheses first.	`(#HackersPub OR "Hackers' Pub" OR "Hackers Pub") lang:en`

Jan Lehnardt @janl@narrativ.es

12/13/2025, 8:44:52 AM

Public

This is very funny because the opposite is true.

I’ve been an open source software vendor for 15+ years and what actually happens when you have a critical vulnerability disclosed to you, you fix it, try and find all other instances of it and put a structural safety net in place that the category of this error can be ruled out for the entire codebase and cannot happen again in future *before* the CVE is made public. Even with tiny volunteer teams.

Citing Log4j here, which was (and is) famously understaffed and underfunded, just tells you how badly resourced react is and they are trying to save their asses and blaming you for not realising that the first fix maybe wasn’t sufficient.

https://hails.org/@hailey/115703205121296903

A big highlighted “Note” section on the latest CVE announcement on the react.dev site reading:

It’s common for critical CVEs to uncover follow‑up vulnerabilities.

When a critical vulnerability is disclosed, researchers scrutinize adjacent code paths looking for variant exploit techniques to test whether the initial mitigation can be bypassed.

This pattern shows up across the industry, not just in JavaScript. For example, after Log4Shell, additional CVEs (1, 2) were reported as the community probed the original fix.

Additional disclosures can be frustrating, but they are generally a sign of a healthy response cycle.

Hailey (@hailey@hails.org)

Attached: 1 image check out the perception management going on in react’s latest cve disclosure

social.hails.org · hails.org

Frederik Braun � @freddy@social.security.plumbing

12/13/2025, 8:52:01 AM

Public

@janlJan Lehnardt I was going to say we do the same in our open source repository but while our documentation is extensive, I couldn’t find a mention of variant anslysis at all. On my todo-list for Monday, then. https://firefox-source-docs.mozilla.org/bug-mgmt/processes/fixing-security-bugs.html#fixing-security-bugs

Fixing Security Bugs — Firefox Source Docs documentation

firefox-source-docs.mozilla.org

If you have a fediverse account, you can quote this note from your own instance. Search https://social.security.plumbing/users/freddy/statuses/115711405019882383 on your instance and quote it. (Note that quoting is not supported in Mastodon.)