M
Ask HN
Ask HN: Who else got pwned by the Next.js RCE?
I'm a little embarrassed, but not sure what I could have done differently other than reading the Saturday email from GCP with the nondescript subject "New Advisory Notification". Ten hours later, GCP instance suspended due to crypto mining. Now looking at the disk image, it installed something at ~/nxt/ , installed a monero miner at ~/c3pool/ , and added several systemctl services to run these on startup. BRB, killing this machine with fire... This makes me think I should be running everything in Docker, even simple small stuff that "shouldn't" have any potential security issues.

Fortunately this machine wasn't anything important for me and there was no sensitive data to exfil beyond AI API keys. But I imagine there's other orgs that just got catastrophically, irrecoverably pwned.

What's your story?

(RCE context: https://news.ycombinator.com/item?id=46136026 )

This might be a hot take, but I feel like the blurring of lines between back-end and front-end apps with platforms like Vercel will lead to more and more of these exploits. I’m an experienced full-stack dev and I’m constantly confused as to “where I am” in a Next code base. Server? Client? Edge? Proponents might say “that’s the point - you don’t have to worry about there you are, it’s one code base” but these sort of issues indicate otherwise.

All platforms can be exploited I guess, but I still wonder at the complexity of the platforms we now rely on and whether it’s justified.

I don't use Next.js but I'm curious as well. My impression was that most people run it under Vercel who patches quickly, but maybe that's not the case.
You had to patch manually
I'm sure a lot of people and companies got pwned and they aren't going to disclose it. There are chrome extensions that passively polls sites for the vulnerability, and since the vulnerability is so simple to exploit and leaves virtually no trace...

My gut feeling is that we are going to be feeling the consequences of simultaneous enshittification of software, the mounting complexity of our systems, and AI enslopification combine to create far more vulnerabilities in the future. The only defence is to adopt simple systems and software.