Details of latest 2023 Remote Code Execution Vuln

Continuing the discussion from Nightly 8.1 Changelogs - 2023:

Does IA have any guidance on affected modules and/or version ranges to share with our clients? Or possible mitigations before the fix becomes a release? v8.1.25 is only a week old, which suggests the formal release with the fix is three or four weeks away.

Avoid using the Quick Client with untrusted servers.

Edit: or any server that an adversary could control the value of Nodes in, I guess.

1 Like