Yesterday, after various bogus AI slopped "PoC"s, eventually a functional PoC for the React RCE emerged:
https://github.com/msanft/CVE-2025-55182

We now have a PoC from the reporter of the vulnerability as well:
https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc

#react2shell

🎅 🌲 💫

Weihnachtlich erstrahlen Gassen
Auf zum Einkauf hasten Massen
Drinnen leuchten Kerzen hell
Nur Systemadministratoren
Lauschen bang dem Netz-Rumoren
Horch! Es naht #React2Shell!

https://aws.amazon.com/de/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/

I had the [mis?]fortune of being awake just as attackers decided to slam the public internet with React2Shell exploits. GreyNoise had a tag up for it yesterday afternoon.

Full write-up of the initial spate of attacks:
https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far
1/3

Hm, das mit React2Shell wird noch etwas arg werden.

https://aws.amazon.com/de/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/

React Developers: There is a serious vulnerability in React and Next.JS (CVE-2025-55182 / CVE-2025-66478). It affects those using React for the BACKEND (RSC and React Server Functions). It is similar in damage and exploit to log4j. Please upgrade asap.

https://twp.ai/4isb7m

FML we have daft 10 IPs slinging the RSC/Next.js exploit along with one of the oddest JA4t hashes I've seen in a while.

someone(s) burned new infra to do so, too.

if any org gets compromised from an opportunistic campaign (like this) they fully deserve the ransomware/breach they get.

https://viz.greynoise.io/tags/react-server-components-unsafe-deserialization-cve-2025-55182-rce-attempt?days=90

Ooh @censys bringing the deets from the other perspective! https://censys.com/advisory/cve-2025-55182

Alleged (by Amazon) active exploitation of React Server Components (RSC) by Chinese threat actors. Has anyone else seen "real" exploitation attempts, not just running the fake PoCs that are out there?

https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/

#Vulnerabilities #ThreatIntel #React #CVE_2025_55182

PSA: There are automated attacks in the wild against CVE-2025-55182 (The react server components RCE made public yesterday)

Patch your systems NOW if you haven't yet.
:BoostOK:

⚠️ Alerte CERT-FR ⚠️

Le CERT-FR a connaissance de preuves de concept publiques pour la vulnérabilité CVE-2025-55182 affectant React Server Components et anticipe des exploitations en masse.

https://cert.ssi.gouv.fr/alerte/CERTFR-2025-ALE-014

The PoC of #react2shell from the original author https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc/blob/main/01-submitted-poc.js

this week's conversations. unintentionally topical

#cve202555182

the real React 10.0 CVE proof of concept (not the "AI" proof of slop)

https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc

React2Shell (CVE-2025-55182): Chinesische Hackergruppen greifen kritische React-Schwachstelle an
Wenige Stunden nach der Veröffentlichung der Schwachstelle CVE-2025-55182 am 3. Dezember 2025 registrierten Sicherheitsforscher von Amazon erste Angriffsversuche. Die unter dem Namen React2Shell bekannt gewordene Lücke erhielt die Höchstbewertung von 10.0 im CVSS-System und ermöglicht die Ausführung von Code ohne Authentifizierung.
https://www.all-about-security.de/react2shell-cve-2025-55182-chinesische-hackergruppen-greifen-kritische-react-schwachstelle-an/

#cve #hackers #aws #cvss #cybersecurity

Wild

https://github.com/Rat5ak/CVE-2025-55182-React2Shell-RCE-POC

Critical RSC Bugs in React and Next.js Enable Unauthenticated Remote Code Execution
Source: https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html
A maximum-severity flaw has been disclosed in React Server Components (RSC) that can allow remote code execution.
The vulnerability, CVE-2025-55182 — codenamed React2shell — carries a CVSS score of 10.0. According to the React team, it enables unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.
The React team warns that applications may be vulnerable even if they do not implement Server Function endpoints, as long as they support React Server Components.
Cloud security firm Wiz reports that the issue stems from logical deserialization errors. RSC payloads are processed in an unsafe manner, allowing an attacker to send a specially crafted HTTP request to any Server Function endpoint. When the payload is deserialized, React may execute arbitrary JavaScript code on the server without authentication.

📊 39% of cloud environments are vulnerable to React2Shell.

New data from Wiz indicates that nearly 40% of cloud environments contain instances vulnerable to CVE-2025-55182. Even more concerning? 44% of all cloud environments have publicly exposed Next.js instances.

The "secure by design" assumption is working against defenders right now.

✅ Detection is LIVE.

We have updated the Network Vulnerability Scanner in Pentest-Tools.com to help you validate this specific configuration immediately.

As shown in the attached video, you can go from "exposed" to "confirmed" in seconds:

1. Select the Network Scanner

2. Input CVE-2025-55182

3. Get definitive proof with Request/Response evidence

Don't rely on version checks when the exposure surface is this wide.

🔗 Run the detection: https://pentest-tools.com/network-vulnerability-scanning/network-security-scanner-online

📜 Vulnerability breakdown: https://pentest-tools.com/vulnerabilities-exploits/react-server-components-remote-code-execution_28260

📈 Data source: https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182

#AppSec #ReactJS #CloudSecurity #React2Shell #InfoSec #VulnerabilityManagement #NextJS

React2Shell = Log4shell: 87.000 server in Italia a rischio compromissione

Nel 2025, le comunità IT e della sicurezza sono in fermento per un solo nome: “React2Shell“. Con la divulgazione di una nuova vulnerabilità, CVE-2025-55182, classificata CVSS 10.0, sviluppatori ed esperti di sicurezza di tutto il mondo ne mettono in guardia dalla gravità, utilizzando persino il termine “2025 Log4Shell”.

I server impattati da questa minaccia sono circa 8.777.000 nel mondo, mentre i server italiani sono circa 87.000. Questo fa comprendere, che con una severity da score 10, potrebbe essere una delle minacce più importante di tutto l’anno, che sta diventando “attiva”.

Il nuovo Log4Shell del 2025

Infatti, è stato confermato che la comunità hacker cinese che sono stati già avviati test di attacco su larga scala sfruttando l’exploit per la vulnerabilità in questione sui server esposti. il CVE-2025-55182 non è semplicemente un bug software. È una falla strutturale nel protocollo di serializzazione RSC, che consente lo sfruttamento con la sola configurazione predefinita, senza errori da parte degli sviluppatori. L’autenticazione non è nemmeno richiesta.

Ecco perché gli esperti di sicurezza di tutto il mondo lo chiamano “la versione 2025 di Log4Shell”. Lo strumento di scansione delle vulnerabilità React2Shell Checker sta analizzando più percorsi e alcuni endpoint sono contrassegnati come Sicuri o Vulnerabili. L’immagine sopra mostra che diversi ricercatori stanno già eseguendo scansioni automatiche sui server basati su RSC.

Il problema è che questi strumenti diventano armi che gli aggressori possono sfruttare. Gli hacker cinesi stanno conducendo con successo test RCE. Secondo i dati raccolti dalla comunità di hacker cinese, gli aggressori hanno già iniettato React2Shell PoC nei servizi basati su Next.js, raccolto i risultati con il servizio DNSLog e verificato il vettore di attacco.

L’Exploit PoC in uso nelle scansioni

Viene inviato un payload manipolato con Burp Repeater e il server crea un record DNS esterno. Ciò indica che l’attacco viene verificato in tempo reale. Gli aggressori hanno già completato i seguenti passaggi:

• Carica il payload sul server di destinazione
• Attiva la vulnerabilità di serializzazione RSC
• Verifica il successo dell’esecuzione del comando con DNSLog esterno
• Verifica la possibilità di eseguire child_process sul lato server.

Non si tratta più di una “vulnerabilità teorica”, bensì della prova che è già stato sviluppato un vettore di attacco valido.

Gli hacker cinesi stanno in questi istanti eseguendo con successo le RCE.

l PoC sono stati pubblicati su GitHub e alcuni ricercatori lo hanno eseguito, confermando che la Calcolatrice di Windows (Calc.exe) è stata eseguita in remoto.

L’invio del payload tramite BurpSuite Repeater ha comportato l’esecuzione immediata di Calc.exe sul server. Ciò significa che è possibile l’esecuzione completa del codice remoto.

L’esecuzione remota della calcolatrice è un metodo di dimostrazione comune nella comunità di ricerca sulla sicurezza di un “RCE” riuscito, ovvero quando un aggressore ha preso il controllo di un server.

Gli 87.000 server riportati nella print screen di FOFA, dimostrano che un numero significativo di servizi web di aziende italiane che operano con funzioni RSC basate su React/Next.js attivate sono a rischio. Il problema è che la maggior parte di essi

• utilizza il rendering del server
• mantiene le impostazioni predefinite di RSC
• gestisce percorsi API esposti, quindi possono essere bersaglio di attacchi su larga scala.

In particolare, dato che i risultati della ricerca FOFA sono una fonte comune di informazioni utilizzata anche dai gruppi di hacker per selezionare gli obiettivi degli attacchi, è altamente probabile che questi server siano sotto scansioni attive.

Perché React2Shell è pericoloso?

Gli esperti definiscono questa vulnerabilità “senza precedenti” per i seguenti motivi:

• RCE non autenticato (esecuzione di codice remoto non autenticato): l’aggressore non ha bisogno di effettuare l’accesso.
• Possibilità Zero-Click: non è richiesta alcuna azione da parte dell’utente.
• PoC immediatamente sfruttabile: già pubblicato in gran numero su GitHub e X.
• Centinaia di migliaia di servizi in tutto il mondo si basano su React 19/Next.js: rischio di proliferazione su larga scala a livello della supply chain.
• L’impostazione predefinita stessa è vulnerabile: è difficile per gli sviluppatori difenderla.

Questa combinazione è molto simile all’incidente Log4Shell del 2021.

Tuttavia, a differenza di Log4Shell, che era limitato a Java Log4j, React2Shell è più serio in quanto prende di mira i framework utilizzati dall’intero ecosistema globale dei servizi web.

I segnali di un attacco effettivo quali sono

Gli Aggressori stanno già eseguendo la seguente routine di attacco.

• Raccolta di risorse di esposizione React/Next.js per paese da FOFA
• Esecuzione dello script di automazione PoC di React2Shell
• Verifica se il comando è stato eseguito utilizzando DNSLog
• Sostituisci il payload dopo aver identificato i server vulnerabili
• Controllo del sistema tramite RCE finale

Questa fase non è una pre-scansione, ma piuttosto la fase immediatamente precedente all’attacco. Dato il numero particolarmente elevato di server in Italia, la probabilità di attacchi RCE su larga scala contro istituzioni e aziende nazionali è molto alta. Strumenti di valutazione delle vulnerabilità e altri strumenti vengono caricati sulla comunità della sicurezza.

Mitigazione del bug di sicurezza

Gli esperti raccomandano misure di emergenza quali l’applicazione immediata di patch, la scansione delle vulnerabilità, l’analisi dei log e l’aggiornamento delle policy di blocco WAF.

Il team di React ha annunciato il 3 di aver rilasciato urgentemente una patch per risolvere il problema CVE-2025-55182, correggendo un difetto strutturale nel protocollo di serializzazione RSC. Tuttavia, a causa della natura strutturale di React, che non si aggiorna automaticamente, le vulnerabilità persistono a meno che aziende e organizzazioni di sviluppo non aggiornino e ricompilino manualmente le versioni.

In particolare, i servizi basati su Next.js richiedono un processo di ricostruzione e distribuzione dopo l’applicazione della patch di React, il che significa che probabilmente ci sarà un ritardo significativo prima che la patch di sicurezza effettiva venga implementata nell’ambiente del servizio. Gli esperti avvertono che “la patch è stata rilasciata, ma la maggior parte dei server è ancora a rischio”.

Molte applicazioni Next.js funzionano con RSC abilitato di default, spesso senza che nemmeno i team di sviluppo interni ne siano a conoscenza. Ciò richiede che le aziende ispezionino attentamente le proprie basi di codice per verificare l’utilizzo di componenti server e Server Actions. Con tentativi di scansione su larga scala già confermati in diversi paesi, tra cui la Corea, il rafforzamento delle policy di blocco è essenziale.

Inoltre, con la diffusione capillare di scanner automatici React2Shell e codici PoC in tutto il mondo, gli aggressori stanno eseguendo scansioni di massa dei server esposti anche in questo preciso momento. Di conseguenza, gli esperti di sicurezza hanno sottolineato che le aziende devono scansionare immediatamente i propri domini, sottodomini e istanze cloud utilizzando strumenti esterni di valutazione della superficie di attacco.

Hanno inoltre sottolineato che se nei log interni vengono rilevate tracce di chiamate DNSLog, un aumento di richieste POST multipart insolite o payload di grandi dimensioni inviati agli endpoint RSC, è molto probabile che si sia già verificato un tentativo di attacco o che sia stata raggiunta una compromissione parziale, il che richiede una risposta rapida.

L'articolo React2Shell = Log4shell: 87.000 server in Italia a rischio compromissione proviene da Red Hot Cyber.

Gaur Cloudfront-i tokatu zaio. Berriro!

Dirudienez, akats oso larri bat aurkitu zuten "REACT" modulu batean (CVE10.0
https://www.cve.org/CVERecord?id=CVE-2025-55182 ) eta erasoak ekiditeko... den-dena suntsitu dute ( https://blog.cloudflare.com/5-december-2025-outage/ )

Baina gaur oso gutxi iraun du etenaldia, ordu erdi besterik ez.
Gaur, badirudi onargarria dela.

Eskerrik asko Facebook :)
Eskerrik asko Cloudfront.

Explanation and full RCE PoC for CVE-2025-55182 https://github.com/msanft/CVE-2025-55182

A critical vulnerability (CVE-2025-55182) in the React web application framework, allowing full remote code execution, is being actively exploited by Chinese state-nexus threat groups. The flaw, which affects all versions of React since November 2024, can be exploited remotely without authentication. Organizations using React or affected downstream frameworks are urged to remediate the vulnerability urgently.
https://www.govinfosecurity.com/chinese-nation-state-groups-tied-to-react2shell-targeting-a-30201

🚨 CVE-2025-55182: Meta React Server Components Remote Code Execution Vulnerability has been added to the CISA KEV Catalog

Added: 2025-12-05
Vendor: Meta
Product: React Server Components
CVSS: 10

CISA KEV Catalog: https://darkwebinformer.com/cisa-kev-catalog/

Write-up: https://www.vulncheck.com/blog/cve-2025-55182-react-nextjs

Una grave vulnerabilidad en React Server Components y Next.js permite ejecución remota de código sin autenticación, afectando versiones clave y exponiendo aplicaciones a ataques críticos. Se desarrolló un mecanismo de alta fidelidad para detectar estas amenazas, mientras expertos recomiendan actualizar y reforzar configuraciones para mitigar riesgos. Descubre estos y más detalles en el siguiente listado de noticias sobre seguridad informática:

🗞️ ÚLTIMAS NOTICIAS EN SEGURIDAD INFORMÁTICA 🔒
====| 🔥 LO QUE DEBES SABER HOY 05/12/25 📆 |====

🔐 VULNERABILIDAD CRÍTICA EN NEXT.JS Y REACT SERVER COMPONENTS QUE PERMITE EJECUCIÓN REMOTA DE CÓDIGO

Se ha detectado una falla de seguridad severa en las versiones 19.0.0 a 19.2.0 de React Server Components y en Next.js, que afecta la deserialización de cargas útiles HTTP sin autenticación previa. Esta vulnerabilidad, registrada como CVE-2025-55182 y CVE-2025-66478, tiene una calificación CVSS de 10.0 debido a su capacidad para ejecutar código remotamente, poniendo en riesgo aplicaciones que utilizan estos frameworks ampliamente adoptados. Es crucial que los desarrolladores y administradores de sistemas actualicen sus entornos y revisen sus configuraciones para mitigar posibles ataques que podrían comprometer la integridad y disponibilidad de sus servicios.

Descubre más detalles sobre esta amenaza y cómo proteger tus sistemas aquí 👉 https://djar.co/WTFvoc

🚨 ALERTA SOBRE LA EJECUCIÓN REMOTA DE CÓDIGO EN REACT SERVER COMPONENTS SIN NECESIDAD DE AUTENTICACIÓN

Los Componentes de Servidor React, entre las versiones mencionadas, presentan una vulnerabilidad que permite a un atacante remoto ejecutar código aprovechando una deserialización insegura de datos HTTP. La gravedad radica en la ausencia total de requerimientos de autenticación, facilitando así ataques sin barreras iniciales. Esta debilidad impacta directamente la seguridad de aplicaciones modernas basadas en React y Next.js, por lo que es imprescindible aplicar los parches recomendados y fortalecer los controles de acceso.

Consulta el análisis técnico y las recomendaciones para reforzar tu seguridad 👉 https://djar.co/6aBjG

⚠️ MECANISMO DE DETECCIÓN DE ALTA FIDELIDAD PARA RCE EN NEXT.JS Y REACT SERVER COMPONENTS

Se ha desarrollado un mecanismo avanzado para detectar intentos de ejecución remota de código (RCE) en Next.js y React Server Components, que permite identificar de manera precisa ataques aprovechando estas vulnerabilidades críticas. Además, se advierte sobre la proliferación de pruebas de concepto erróneas en repositorios públicos, enfatizando la necesidad de contar con detecciones fiables para evitar falsos positivos y responder efectivamente a incidentes reales.

Accede a la información detallada y la herramienta de detección aquí 👉 https://djar.co/u87j4H

🔥 IMPACTO Y MITIGACIONES DE LAS VULNERABILIDADES EN REACT Y NEXT.JS

Este análisis profundo aborda las consecuencias de las vulnerabilidades en componentes de React y Next.js, destacando la gravedad de permitir la ejecución remota de código y los posibles vectores de ataque. Se presentan también estrategias para mitigar estos riesgos, incluyendo actualizaciones, configuraciones seguras y prácticas recomendadas para desarrolladores, con el fin de preservar la integridad y confidencialidad de las aplicaciones.

Infórmate sobre las mejores prácticas y medidas preventivas aquí 👉 https://djar.co/wXxkh

This Week in Security: React, JSON Formatting, and the Return of Shai Hulud

After a week away recovering from too much turkey and sweet potato casserole, we’re back for more security news! And if you need something to shake you out of that turkey-induced coma, React Server has a single request Remote Code Execution flaw in versions 19.0.1, 19.1.2, and 19.2.1.

The issue is insecure deserialization in the Flight protocol, as implemented right in React Server, and notably also used in Next.js. Those two organizations have both issued Security Advisories for CVSS 10.0 CVEs.

There are reports of a public Proof of Concept (PoC), but the repository that has been linked explicitly calls out that it is not a true PoC, but merely research into how the vulnerability might work. As far as I can tell, there is not yet a public PoC, but reputable researchers have been able to reverse engineer the problem. This implies that mass exploitation attempts are not far off, if they haven’t already started.

Legal AI Breaks Attorney-Client Privilege

We often cover security flaws that are discovered by merely poking around the source of a web interface. [Alex Schapiro] went above and beyond the call of duty, manually looking through minified JS, to discover a major data leak in the Filevine legal AI. And the best part, the problem isn’t even in the AI agent this time.

The story starts with subdomain enumeration — the process of searching DNS records, Google results, and other sources for valid subdomains. That resulted in a valid subdomain and a not-quite-valid web endpoint. This is where [Alex] started digging though Javascript, and found an Amazon AWS endpoint, and a reference to BOX_SERVICE. Making requests against the listed endpoint resulted in both boxFolders and a boxToken in the response. What are those, and what is Box?

Box is a file sharing system, similar to a Google Drive or even Microsoft Sharepoint. And that boxToken was a valid admin-level token for a real law firm, containing plenty of confidential records. It was at this point that [Alex] stopped interacting with the Filevine endpoints, and contacted their security team. There was a reasonably quick turnaround, and when [Alex] re-tested the flaw a month later, it had been fixed.

JSON Formatting As A Service

The web is full of useful tools, and I’m sure we all use them from time to time. Or maybe I’m the only lazy one that types a math problem into Google instead of opening a dedicated calculator program. I’m also guilty of pasting base64 data into a conversion web site instead of just piping it through base64 and xxd in the terminal. Watchtowr researchers are apparently familiar with such laziness efficiency, in the form of JSONformatter and CodeBeautify. Those two tools have an interesting feature: an online save function.

You may see where this is going. Many of us use Github Gists, which supports secret gists protected by long, random URLs. JSONformatter and CodeBeautify don’t. Those URLs are short enough to enumerate — not to mention there is a Recent Links page on both sites. Between the two sites, there are over 80,000 saved JSON snippets. What could possibly go wrong? Not all of that JSON was intended to be public. It’s not hard to predict that JSON containing secrets were leaked through these sites.

And then on to the big question: Is anybody watching? Watchtowr researchers beautified a JSON containing a Canarytoken in the form of AWS credentials. The JSON was saved with the 24 hour timeout, and 48 hours later, the Canarytoken was triggered. That means that someone is watching and collecting those JSON snippets, and looking for secrets. The moral? Don’t upload your passwords to public sites.

Shai Hulud Rises Again

NPM continues to be a bit of a security train wreck, with the Shai Hulud worm making another appearance, with some upgraded smarts. This time around, the automated worm managed to infect 754 packages. It comes with a new trick: pushing the pilfered secrets directly to GitHub repositories, to overcome the rate limiting that effected this worm the first time around. There were over 33,000 unique credentials captured in this wave. When researchers at GitGuardian tested that list a couple days later, about 10% were still valid.

This wave was launched by a PostHog credential that allowed a malicious update to the PostHog NPM package. The nature of Node.js means that this worm was able to very quickly spread through packages where maintainers were using that package. Version 2.0 of Shai Hulud also includes another nasty surprise, in the form of a remote control mechanism stealthily installed on compromised machines. It implies that this is not the last time we’ll see Shai Hulud causing problems.

Bits and Bytes

[Vortex] at ByteRay took a look at an industrial cellular router, and found a couple major issues. This ALLNET router has an RCE, due to CGI handling of unauthenticated HTTP requests. It’s literally just /cgi-bin/popen.cgi?command=whoami to run code as root. That’s not the only issue here, as there’s also a hardcoded username and password. [Vortex] was able to derive that backdoor account information and use hashcat to crack the password. I was unable to confirm whether patched firmware is available.

Google is tired of their users getting scammed by spam phone calls and texts. Their latest salvo in trying to defeat such scams is in-call scam protection. This essentially detects a banking app that is opened as a result of a phone call. When this scenario is detected, a warning dialogue is presented, that suggests the user hangs up the call, and forces a 30 second waiting period. While this may sound terrible for sophisticated users, it is likely to help prevent fraud against our collective parents and grandparents.

What seemed to be just an illegal gambling ring of web sites, now seems to be the front for an Advanced Persistent Threat (APT). That term, btw, usually refers to a government-sponsored hacking effort. In this case, instead of a gambling fraud targeting Indonesians, it appears to be targeting Western infrastructure. One of the strongest arguments for this claim is the fact that this network has been operating for over 14 years, and includes a mind-boggling 328,000 domains. Quite the odd one.

hackaday.com/2025/12/05/this-w…

Progress Sitefinity Next.js Renderer appears to be vulnerable to this React vuln. React2Shell? Is that what everyone is calling it?

https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2025-66478-and-CVE-2025-55182-December-2025

React Developers: There is a serious vulnerability in React and Next.JS (CVE-2025-55182 / CVE-2025-66478). It affects those using React for the BACKEND (RSC and React Server Functions). It is similar in damage and exploit to log4j. Please upgrade asap.

https://twp.ai/4isb7m

RIP javascript devs

https://github.com/Malayke/Next.js-RSC-RCE-Scanner-CVE-2025-66478

🚨 CVE-2025-66478: Next.js RSC RCE Scanner and POC/Exploit Collection

A command-line scanner for batch detection of Next.js application versions and determining if they are affected by CVE-2025-66478 vulnerability.

GitHub: https://github.com/Malayke/Next.js-RSC-RCE-Scanner-CVE-2025-66478

Una grave vulnerabilidad en React Server Components y Next.js permite ejecución remota de código sin autenticación, afectando versiones clave y exponiendo aplicaciones a ataques críticos. Se desarrolló un mecanismo de alta fidelidad para detectar estas amenazas, mientras expertos recomiendan actualizar y reforzar configuraciones para mitigar riesgos. Descubre estos y más detalles en el siguiente listado de noticias sobre seguridad informática:

🗞️ ÚLTIMAS NOTICIAS EN SEGURIDAD INFORMÁTICA 🔒
====| 🔥 LO QUE DEBES SABER HOY 05/12/25 📆 |====

🔐 VULNERABILIDAD CRÍTICA EN NEXT.JS Y REACT SERVER COMPONENTS QUE PERMITE EJECUCIÓN REMOTA DE CÓDIGO

Se ha detectado una falla de seguridad severa en las versiones 19.0.0 a 19.2.0 de React Server Components y en Next.js, que afecta la deserialización de cargas útiles HTTP sin autenticación previa. Esta vulnerabilidad, registrada como CVE-2025-55182 y CVE-2025-66478, tiene una calificación CVSS de 10.0 debido a su capacidad para ejecutar código remotamente, poniendo en riesgo aplicaciones que utilizan estos frameworks ampliamente adoptados. Es crucial que los desarrolladores y administradores de sistemas actualicen sus entornos y revisen sus configuraciones para mitigar posibles ataques que podrían comprometer la integridad y disponibilidad de sus servicios.

Descubre más detalles sobre esta amenaza y cómo proteger tus sistemas aquí 👉 https://djar.co/WTFvoc

🚨 ALERTA SOBRE LA EJECUCIÓN REMOTA DE CÓDIGO EN REACT SERVER COMPONENTS SIN NECESIDAD DE AUTENTICACIÓN

Los Componentes de Servidor React, entre las versiones mencionadas, presentan una vulnerabilidad que permite a un atacante remoto ejecutar código aprovechando una deserialización insegura de datos HTTP. La gravedad radica en la ausencia total de requerimientos de autenticación, facilitando así ataques sin barreras iniciales. Esta debilidad impacta directamente la seguridad de aplicaciones modernas basadas en React y Next.js, por lo que es imprescindible aplicar los parches recomendados y fortalecer los controles de acceso.

Consulta el análisis técnico y las recomendaciones para reforzar tu seguridad 👉 https://djar.co/6aBjG

⚠️ MECANISMO DE DETECCIÓN DE ALTA FIDELIDAD PARA RCE EN NEXT.JS Y REACT SERVER COMPONENTS

Se ha desarrollado un mecanismo avanzado para detectar intentos de ejecución remota de código (RCE) en Next.js y React Server Components, que permite identificar de manera precisa ataques aprovechando estas vulnerabilidades críticas. Además, se advierte sobre la proliferación de pruebas de concepto erróneas en repositorios públicos, enfatizando la necesidad de contar con detecciones fiables para evitar falsos positivos y responder efectivamente a incidentes reales.

Accede a la información detallada y la herramienta de detección aquí 👉 https://djar.co/u87j4H

🔥 IMPACTO Y MITIGACIONES DE LAS VULNERABILIDADES EN REACT Y NEXT.JS

Este análisis profundo aborda las consecuencias de las vulnerabilidades en componentes de React y Next.js, destacando la gravedad de permitir la ejecución remota de código y los posibles vectores de ataque. Se presentan también estrategias para mitigar estos riesgos, incluyendo actualizaciones, configuraciones seguras y prácticas recomendadas para desarrolladores, con el fin de preservar la integridad y confidencialidad de las aplicaciones.

Infórmate sobre las mejores prácticas y medidas preventivas aquí 👉 https://djar.co/wXxkh

This Week in Security: React, JSON Formatting, and the Return of Shai Hulud

After a week away recovering from too much turkey and sweet potato casserole, we’re back for more security news! And if you need something to shake you out of that turkey-induced coma, React Server has a single request Remote Code Execution flaw in versions 19.0.1, 19.1.2, and 19.2.1.

The issue is insecure deserialization in the Flight protocol, as implemented right in React Server, and notably also used in Next.js. Those two organizations have both issued Security Advisories for CVSS 10.0 CVEs.

There are reports of a public Proof of Concept (PoC), but the repository that has been linked explicitly calls out that it is not a true PoC, but merely research into how the vulnerability might work. As far as I can tell, there is not yet a public PoC, but reputable researchers have been able to reverse engineer the problem. This implies that mass exploitation attempts are not far off, if they haven’t already started.

Legal AI Breaks Attorney-Client Privilege

We often cover security flaws that are discovered by merely poking around the source of a web interface. [Alex Schapiro] went above and beyond the call of duty, manually looking through minified JS, to discover a major data leak in the Filevine legal AI. And the best part, the problem isn’t even in the AI agent this time.

The story starts with subdomain enumeration — the process of searching DNS records, Google results, and other sources for valid subdomains. That resulted in a valid subdomain and a not-quite-valid web endpoint. This is where [Alex] started digging though Javascript, and found an Amazon AWS endpoint, and a reference to BOX_SERVICE. Making requests against the listed endpoint resulted in both boxFolders and a boxToken in the response. What are those, and what is Box?

Box is a file sharing system, similar to a Google Drive or even Microsoft Sharepoint. And that boxToken was a valid admin-level token for a real law firm, containing plenty of confidential records. It was at this point that [Alex] stopped interacting with the Filevine endpoints, and contacted their security team. There was a reasonably quick turnaround, and when [Alex] re-tested the flaw a month later, it had been fixed.

JSON Formatting As A Service

The web is full of useful tools, and I’m sure we all use them from time to time. Or maybe I’m the only lazy one that types a math problem into Google instead of opening a dedicated calculator program. I’m also guilty of pasting base64 data into a conversion web site instead of just piping it through base64 and xxd in the terminal. Watchtowr researchers are apparently familiar with such laziness efficiency, in the form of JSONformatter and CodeBeautify. Those two tools have an interesting feature: an online save function.

You may see where this is going. Many of us use Github Gists, which supports secret gists protected by long, random URLs. JSONformatter and CodeBeautify don’t. Those URLs are short enough to enumerate — not to mention there is a Recent Links page on both sites. Between the two sites, there are over 80,000 saved JSON snippets. What could possibly go wrong? Not all of that JSON was intended to be public. It’s not hard to predict that JSON containing secrets were leaked through these sites.

And then on to the big question: Is anybody watching? Watchtowr researchers beautified a JSON containing a Canarytoken in the form of AWS credentials. The JSON was saved with the 24 hour timeout, and 48 hours later, the Canarytoken was triggered. That means that someone is watching and collecting those JSON snippets, and looking for secrets. The moral? Don’t upload your passwords to public sites.

Shai Hulud Rises Again

NPM continues to be a bit of a security train wreck, with the Shai Hulud worm making another appearance, with some upgraded smarts. This time around, the automated worm managed to infect 754 packages. It comes with a new trick: pushing the pilfered secrets directly to GitHub repositories, to overcome the rate limiting that effected this worm the first time around. There were over 33,000 unique credentials captured in this wave. When researchers at GitGuardian tested that list a couple days later, about 10% were still valid.

This wave was launched by a PostHog credential that allowed a malicious update to the PostHog NPM package. The nature of Node.js means that this worm was able to very quickly spread through packages where maintainers were using that package. Version 2.0 of Shai Hulud also includes another nasty surprise, in the form of a remote control mechanism stealthily installed on compromised machines. It implies that this is not the last time we’ll see Shai Hulud causing problems.

Bits and Bytes

[Vortex] at ByteRay took a look at an industrial cellular router, and found a couple major issues. This ALLNET router has an RCE, due to CGI handling of unauthenticated HTTP requests. It’s literally just /cgi-bin/popen.cgi?command=whoami to run code as root. That’s not the only issue here, as there’s also a hardcoded username and password. [Vortex] was able to derive that backdoor account information and use hashcat to crack the password. I was unable to confirm whether patched firmware is available.

Google is tired of their users getting scammed by spam phone calls and texts. Their latest salvo in trying to defeat such scams is in-call scam protection. This essentially detects a banking app that is opened as a result of a phone call. When this scenario is detected, a warning dialogue is presented, that suggests the user hangs up the call, and forces a 30 second waiting period. While this may sound terrible for sophisticated users, it is likely to help prevent fraud against our collective parents and grandparents.

What seemed to be just an illegal gambling ring of web sites, now seems to be the front for an Advanced Persistent Threat (APT). That term, btw, usually refers to a government-sponsored hacking effort. In this case, instead of a gambling fraud targeting Indonesians, it appears to be targeting Western infrastructure. One of the strongest arguments for this claim is the fact that this network has been operating for over 14 years, and includes a mind-boggling 328,000 domains. Quite the odd one.

hackaday.com/2025/12/05/this-w…

Progress Sitefinity Next.js Renderer appears to be vulnerable to this React vuln. React2Shell? Is that what everyone is calling it?

https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2025-66478-and-CVE-2025-55182-December-2025

A critical XXE bug (CVE-2025-66516) with a CVSS score of 10.0 has been discovered in Apache Tika, affecting multiple modules including tika-core, tika-pdf-module, and tika-parsers. This vulnerability allows attackers to perform XML External Entity injection via a crafted XFA file within a PDF, potentially leading to file system access and remote code execution, and requires urgent patching.
https://thehackernews.com/2025/12/critical-xxe-bug-cve-2025-66516-cvss.html

Apache HTTP Server 2.4.66 was released yesterday, patching these sev:LOW and sev:MED vulns:

https://www.cve.org/CVERecord?id=CVE-2025-58098

https://www.cve.org/CVERecord?id=CVE-2025-59775

https://www.cve.org/CVERecord?id=CVE-2025-65082

https://www.cve.org/CVERecord?id=CVE-2025-66200

https://www.cve.org/CVERecord?id=CVE-2025-55753

Allarme Apache: falle SSRF e credenziali NTLM esposte. Admin, aggiornate subito!

Un aggiornamento significativo è stato distribuito dalla Apache Software Foundation per il diffuso Apache HTTP Server, correggendo un totale di cinque vulnerabilità di sicurezza distinte. È raccomandato che gli amministratori eseguano questo aggiornamento il prima possibile al fine di assicurare che la loro infrastruttura web sia protetta contro i vettori individuati.

La versione 2.4.66, appena rilasciata, rappresenta una correzione complessiva di problematiche che includono sia loop infiniti durante il rinnovo dei certificati sia possibili perdite di credenziali NTLM su sistemi operativi Windows.

Due delle vulnerabilità individuate, classificate come “moderate”, costituiscono rischi specifici per le configurazioni di hosting condiviso che impiegano suexec e per gli ambienti Windows, mentre le restanti tre sono etichettate come “bassa” gravità.

Tra le correzioni più significative di questo aggiornamento figura il CVE-2025-59775, una falla di sicurezza relativa alla falsificazione delle richieste lato server (SSRF) che interessa Apache HTTP Server in esecuzione su Windows. Questa vulnerabilità, considerata di gravità moderata, si verifica a causa dell’interazione tra le impostazioni AllowEncodedSlashes On e MergeSlashes Off.

Secondo quanto affermato nella nota, questa configurazione “consente di divulgare potenzialmente hash NTLM a un server dannoso tramite SSRF e richieste o contenuti dannosi”. Ciò potrebbe consentire agli aggressori di raccogliere credenziali dall’ambiente server, rendendola una patch prioritaria per gli amministratori Windows.

La seconda falla di gravità moderata, il CVE-2025-66200, riguarda l’interazione tra mod_userdir e suexec. Questa vulnerabilità consente di aggirarla tramite la direttiva AllowOverride FileInfo. Il report osserva che “gli utenti con accesso alla direttiva RequestHeader in htaccess possono causare l’esecuzione di alcuni script CGI con un ID utente inaspettato”. Ciò interrompe di fatto l’isolamento previsto della funzionalità suexec, fondamentale per la sicurezza in ambienti multiutente.

L’aggiornamento risolve ulteriori tre problemi di lieve gravità che, sebbene meno critici, potrebbero interrompere le operazioni o creare comportamenti imprevisti:

• Ciclo infinito (CVE-2025-55753): un bug in mod_md (ACME) può causare un overflow durante i rinnovi di certificati non riusciti. Questo crea un potenziale scenario di esaurimento delle risorse.
• Problema relativo alla stringa di query (CVE-2025-58098): riguarda i server che utilizzano Server Side Includes (SSI) con mod_cgid. L’avviso afferma che il server “passa la stringa di query con escape della shell alle direttive #exec cmd=’…'”.
• Variable Override (CVE-2025-65082): questa falla riguarda “variabili impostate tramite la configurazione di Apache che sostituiscono inaspettatamente le variabili calcolate dal server per i programmi CGI”.

Si consiglia agli utenti di aggiornare alla versione 2.4.66 , che risolve il problema

L'articolo Allarme Apache: falle SSRF e credenziali NTLM esposte. Admin, aggiornate subito! proviene da Red Hot Cyber.

Hi, my name is cR0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000w

https://access.redhat.com/security/cve/cve-2025-14104

Go hack more AI shit.

https://www.obsidiansecurity.com/blog/cve-2025-34291-critical-account-takeover-and-rce-vulnerability-in-the-langflow-ai-agent-workflow-platform

Hardcoded JWT secret in something called GoAway. It appears to be a similar project to Pihole.

https://github.com/gian2dchris/CVEs/tree/CVE-2025-65730/CVE-2025-65730

Edimax

https://www.cve.org/CVERecord?id=CVE-2025-14092

cc: @Dio9sys @da_667

#internetOfShit

EITW vuln in ArrayOS. Advisory was published Wednesday and updated today, along with the CVE being published, so IDK if it was 0day or quickly exploited after the advisory.

https://www.jpcert.or.jp/at/2025/at250024.html

The DesktopDirect feature of the Array AG series provided by Array Networks contains a command injection vulnerability. If this vulnerability is exploited, an attacker may execute an arbitrary command. At the time of publication of this information, the CVE number for this vulnerability has not been numbered.

Not sure if this is something @Dio9sys and @da_667 are interested in.

Edit to add the CVE number since the description said it isn't available yet: CVE-2025-66644