|
|
|
|
|
|
by mschuster91
724 days ago
|
|
|
> Shouldn't it be on security researcher to prove that how this can be exploited if no http end points are created? The problem is, from their viewpoint the security researcher is completely correct: a vulnerability is a vulnerability. Consuming applications absolutely have to do their own research for CVEs in dependencies, to determine if they are impacted or not, and to develop mitigations on their side as well if needed. |
|
|
In the app using the library, not in the library.