Hacker Newsnew | past | comments | ask | show | jobs | submit | ejpir's commentslogin

so, interfering with elections is "kindergarten", compared to leaking secrets?

reply


unfortunately the bigger models are pretty slow in token speed. The memory is just not that fast.

You can check what each model does on AMD Strix halo here:

https://kyuz0.github.io/amd-strix-halo-toolboxes/

reply


man, cmon. a little more effort.

reply


Sure thing. For those who don’t know, wiring money like this is a good way to lose your money.

https://consumer.ftc.gov/articles/what-know-you-wire-money

reply


Wire transfer is a bank transfer, not money wire to Western Union and like.

reply


Yeah I agree the FTC article could be more clear here. I think they call out Western Union because those are tools that are commonly used by scammers.

But let’s be clear: the risks are the same if you are wiring money through Western Union or wiring through any other bank. Once you wire the money you do not have the same protections as other payment mechanisms. And if you don’t get the product as described, you are likely out your money. This is compared to other forms of payment like credit cards where you are protected. With a credit card you can issue a charge back to the seller and get your money back in the case of fraud. With a wire transfer you cannot.

reply


https://ec.europa.eu/eurostat/statistics-explained/index.php... pretty much contradicts anything you said.


Hah - excellent citation, thank you ejpir for affirming and reinforcing the fact-based truth.


yeah, because the whole world uses Google workspaces, right /s


That and MS Office are pretty darn popular. Not the whole world, but a very decent percentage of your users.


Maybe the whole thing was intentional, right at the footer of viva "Cloud services by Microsoft Azure" ; #1 I've never heard of viva before #2 I've never seen an azure logo at the footer of a website.


If I were to test an email delivery system, I would test Gmail. I probably wouldn't test Google Workspaces, because I'd (wrongly) assume that they work the same.


No, just over 6 million paying business customers.

But hey, if you're in a business domain where categorically leaving 6 million potential clients-who-are-demonstrated-to-spend-on-things isn't an issue? One fewer thing to worry about, right? ;)


Certainly enough where this is embarrassing incompetence by them.


how is having NO law better? I'd say 12 out of 20, is better than zero.


When enforcement is this shoddy, it’s easy to create corruption through selective enforcement.

“We don’t have the resources to go after everyone, so we must prioritize” - but it turns out there’s a bias to the selection process…

I believe that justice is only true when we are all treated equally under the law.


I think you mean 8 out of 20. Fewer than half.


micro-vms, not DinD


cool tool, thanks! Was wondering if I was using the 5x well :) 2026-01-03

│ Total │ │ 2,102,742 │ 622,848 │ 78,507,465 │ 1,670,798,000 │ 1,752,031,055 │ $1283.69 │


we only see 20% of what happens in the shadow, but yah, I guess its better than 100%


I'm fumbled around a bit and got it working, but not entirely sure if this is how it really works: have a look at https://github.com/ejpir/CVE-2025-55182-poc


very interesting to read.

However, if I am reading this correctly, your PoC falls in the category described here: https://react2shell.com/

> Anything that requires the developer to have explicitly exposed dangerous functionality to the client is not a valid PoC. Common examples we've seen in supposed "PoCs" are vm#runInThisContext, child_process#exec, and fs#writeFile.

> This would only be exploitable if you had consciously chosen to let clients invoke these, which would be dangerous no matter what. The genuine vulnerability does not have this constraint. In Next.js, the list of server functions is managed for you, and does not contain these.

Context: This is from Lachlan Davidson, the reporter of the vulnerability


I ran your exploit-rce-v4.js with and without the patched react-server-dom-webpack, and both of them executed the RCE.

So I don't think this mechanism is exactly correct, can you demo it with an actual nextjs project, instead of your mock server?


I'v updated the code, try it now with server-realistic.js:

1. npm start 2. npm run exploit


I'm trying that, nextjs is a little different because it uses a Proxy object before it passes through, which blocks the rce.

I'm debugging it currently, maybe I'm not on the right path after all.


FYI as of just now, the author has (correctly) added a disclaimer that this poc doesnt quite work.


Your lump of AI-generated slop has detracted from the response to an important vulnerability. Congratulations. Your PoC is invalid and you should delete it.


HMU, proud owner of slopcop.ai and have been itching to put it to good use.


Thanks for the writeup, it's incredible!


The PoC is AI generated crap - sorry for the initial comment lauding it. I should have checked better. See: https://github.com/ejpir/CVE-2025-55182-poc/issues/1 and https://react2shell.com/


The guy who discovered the actual vulnerability says otherwise.

Delete this distraction to genuine blue teamers and stop shitting up the information landscape with this utter hogwash.

This is why infosec is dead.

https://react2shell.com/

https://github.com/ejpir/CVE-2025-55182-poc/issues/1#issueco...


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: