24h | 7d | 30d

CVE-2025-55182

Overview

  • Meta
  • react-server-dom-webpack
03 Dec 2025
Published
11 Dec 2025
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
76.01%
KEV

Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Statistics

  • 21 Posts
  • 15 Interactions
Last activity: Last hour

Fediverse

Profile picture
Caitlin Condon @catc0n

VulnCheck analyzed several hundred CVE-2025-55182 exploits so you don't have to!

Amid all the slop (and there's so, so much slop) were some interesting finds that understandably escaped attention, including an early in-memory webshell variant, a PoC with logic that loads the Godzilla webshell, and a repo that deploys a lightweight WAF to block React2Shell payloads entirely (!)

@albinolobster wrote about exploit characteristics in aggregate and broke out the cooler examples here:

vulncheck.com/blog/react2shell

  • 2
  • 2
  • 0
  • 9h ago
Profile picture
CrowdSec @CrowdSec

From CVE disclosure to protection in under 24 hours, a practical example of collaborative security in action.

On 3 December 2025, CVE-2025-55182 () was published with a CVSS score of 10. Within hours, CrowdSec Security Engines worldwide began detecting exploitation attempts.

By the next day, the network had:
- Identified significant attack activity targeting the vulnerability
- Released a WAF Virtual Patching rule to mitigate the RCE
- Started automatically blocking attacks through community-driven blocklists

Today, more than 12K malicious IPs targeting this CVE have been flagged, with protections continuously updated as new threats emerge.

This demonstrates the value of a global, crowdsourced intrusion detection and prevention network.

If your workloads are exposed to the internet, you can benefit from this rapid, collective response:

👉 To keep your systems protected, deploy the CrowdSec WAF: doc.crowdsec.net/docs/next/app

👉 And, enable the free React2Shell blocklist to secure your exposed services immediately: app.crowdsec.net/blocklists/69

  • 1
  • 0
  • 0
  • 16h ago
Profile picture
The Security Ledger @thesecurityledger

Critical React2Shell Vulnerability (CVE-2025-55182) Analysis: Surge in Attacks Targeting RSC-Enabled Services Worldwide

Torrance, United States / California, 12th December 2025, CyberNewsWire

securityledger.com/2025/12/cri

  • 0
  • 0
  • 1
  • 12h ago
Profile picture
TechNadu @technadu

React2Shell exploitation now enables persistent access via EtherRAT’s blockchain-based C2.

technadu.com/react2shell-explo

• Unauthenticated RCE via CVE-2025-55182
• EtherRAT instructions hidden inside Ethereum smart contracts
• Gov + cloud + critical-infrastructure orgs selectively targeted
• Unique per-host payloads hinder signature detection
• Monitor Node.js anomalies + Ethereum RPC activity

  • 0
  • 0
  • 0
  • 10h ago
Profile picture
Tim Severien @timsev

Remote server execution, denial of service vulnerability, and source code leak, whoever works on React Server Components isn't having a great time.

If you haven't already: upgrade asap.

cve.org/CVERecord?id=CVE-2025-
cve.org/CVERecord?id=CVE-2025-
cve.org/CVERecord?id=CVE-2025-

  • 0
  • 0
  • 0
  • 15h ago

Bluesky

Profile picture
Tech Trending @tech-trending.bsky.social
個人開発のEC2が乗っ取られてMoneroを掘られていた話【CVE-2025-55182】|ねころこ https://note.com/nekoroko/n/n729421e1cf8d
  • 1
  • 0
  • 0
  • 2h ago
Profile picture
UndercodeTesting @undercode.bsky.social
CVE-2025-55182: The Nextjs 100 Nightmare and How to Evade Total System Compromise + Video Introduction: A critical Remote Code Execution (RCE) vulnerability, CVE-2025-55182, has been disclosed in Next.js, one of the world's most popular React frameworks. With a perfect 10.0 CVSS score, this flaw…
  • 0
  • 1
  • 0
  • 17h ago
Profile picture
TechNadu @technadu.com
React2Shell is evolving into a persistence threat, with EtherRAT using Ethereum smart contracts as covert C2. • CVE-2025-55182 → unauthenticated RCE • Host-specific payloads evade signatures • Gov, cloud, and critical-infrastructure apps targeted #CyberSecurity #EtherRAT #ThreatIntel #NextJS
  • 0
  • 1
  • 0
  • 10h ago
Profile picture
UndercodeTesting @undercode.bsky.social
The 0 Duplicate: How a Nextjs Pre-Auth RCE Hunt Reveals the Nuts and Bolts of Modern Bug Bounties + Video Introduction: In the high-stakes world of bug bounty hunting, not every critical finding results in a massive payout. A recent hunter's experience with CVE-2025-55182, a pre-authentication…
  • 0
  • 1
  • 0
  • 7h ago
Profile picture
GCP Weekly @gcpweekly.bsky.social
Google Cloud Armor update on December 06, 2025 https://cloud.google.com/armor/docs/release-notes#December_06_2025 #googlecloud Security The Cloud Armor cve-canary rules include the google-mrs-v202512-id000002-rce signature to help detect and mitigate CVE-2025-55182
  • 0
  • 0
  • 0
  • 20h ago
Profile picture
CrowdSec @crowdsec.bsky.social
From CVE disclosure to protection in under 24h: CVE-2025-55182 (#React2Shell) was flagged by CrowdSec Security Engines within hours. By the next day, a WAF virtual patch was released, & attacks were automatically blocked via blocklists. Protect your workloads: app.crowdsec.net/blocklists/6...
  • 0
  • 0
  • 0
  • 18h ago
Profile picture
Information Security Briefly @infosecbriefly.bsky.social
Critical CVE-2025-55182 enables unauthenticated remote code execution via unsafe deserialization in React Server Components, prompting CISA to require patching by December 12, 2025.
  • 0
  • 0
  • 0
  • 18h ago
Profile picture
UndercodeTesting @undercode.bsky.social
From Zero to Hero: Build Your Own Subdomain Empire and Own the Next Big CVE Like CVE-2025-55182 + Video Introduction: In the relentless cat-and-mouse game of cybersecurity, attackers don't just exploit known vulnerabilities; they hunt for the often-overlooked doors left open on forgotten…
  • 0
  • 0
  • 0
  • 17h ago
Profile picture
UndercodeTesting @undercode.bsky.social
The React2Shell Takedown: How CrowdSec’s Global Network Neutralized 12,000 Attackers in Under 24 Hours + Video Introduction: On December 3, 2025, the cybersecurity landscape was rattled by the disclosure of CVE-2025-55182, dubbed "React2Shell," a critical Remote Code Execution (RCE) flaw with a…
  • 0
  • 0
  • 0
  • 15h ago
Profile picture
Lorenzo Ordóñez @lordman1982.bsky.social
CVE-2025-55182 (React2Shell) Opportunistic Exploitation In The Wild: What The GreyNoise Observation Grid Is Seeing So Far www.greynoise.io/blog/cve-202...
  • 0
  • 0
  • 0
  • 11h ago
Profile picture
今日視界 @g0rosato.bsky.social
核彈級漏洞?請看CVE-2025-55182真實測驗分析
  • 0
  • 0
  • 0
  • 4h ago
Profile picture
topickapp (IT技術系ニュースサイト) @topickapp.bsky.social
https://qiita.com/KeppyNaushika/items/53936b0ef3f87104e398 Next.jsの脆弱性を放置した結果、暗号通貨マイナーが仕込まれた事例を紹介しています。 CVE-2025-55182の公開から2日後に攻撃を受け、RCEを許してしまった経緯が解説されています。 攻撃の流れ、被害状況、対策として有効だったと思われるものがまとめられています。
  • 0
  • 0
  • 0
  • 1h ago
Profile picture
GCP Weekly @gcpweekly.bsky.social
Multiple Threat Actors Exploit React2Shell (CVE-2025-55182) #googlecloud https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182/
  • 0
  • 0
  • 0
  • Last hour
Profile picture
InfoSecSherpa @infosecsherpa.bsky.social
This looks important - ⚠️ CVE Update: CVE-2025-66478 is officially a duplicate of CVE-2025-55182. Same root cause: Both stem from same vulnerability. Not a false positive: Detections for 66478 remain valid. Canonical ID: Use CVE-2025-55182 moving forward. Read here: api.cyfluencer.com/s/react2shel...
  • 0
  • 6
  • 1
  • 18h ago

CVE-2025-14174

Overview

  • Google
  • Chrome
12 Dec 2025
Published
12 Dec 2025
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

Out of bounds memory access in ANGLE in Google Chrome on Mac prior to 143.0.7499.110 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Statistics

  • 9 Posts
  • 21 Interactions
Last activity: 4 hours ago

Fediverse

Profile picture
Deskmodder @Deskmodder

Microsoft Edge 143.0.3650.80 korrigiert gefährliche Sicherheitslücke (CVE-2025-14174)

deskmodder.de/blog/2025/12/12/

  • 3
  • 0
  • 1
  • 21h ago
Profile picture
ApplSec @applsec

📣 EMERGENCY UPDATES 📣

Apple pushed additional updates for 2 zero-days that may have been actively exploited.

🐛 CVE-2025-14174 (WebKit) additional patches,
🐛 CVE-2025-43529 (WebKit) additional patches:
- Safari 26.2

  • 6
  • 5
  • 1
  • 7h ago
Profile picture
cR0w h0 h0 @cR0w

Two EITW 0days patched in iOS Webkit. The advisory says the exploits were against pre-iOS 26 but they have patches for 26 as well. And some other ones to go with those.

support.apple.com/en-us/125884

Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 was also issued in response to this report.

Processing maliciously crafted web content may lead to memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-43529 was also issued in response to this report.

  • 2
  • 3
  • 0
  • 7h ago
Profile picture
Dark Web Informer :verified_paw: @DarkWebInformer

🚨 Two more vulnerabilities have been added to the CISA KEV Catalog

CVE-2018-4063: Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type

CVSS: 8.8

CVE-2025-14174: Google Chromium Out of Bounds Memory Access

CVSS: 8.8

darkwebinformer.com/cisa-kev-c

  • 0
  • 0
  • 0
  • 4h ago

Bluesky

Profile picture
ohhara @shiojiri.com
「Microsoft Edge」でもゼロデイ脆弱性「CVE-2025-14174」が修正、実環境での悪用を確認 - 窓の杜 https://forest.watch.impress.co.jp/docs/news/2070721.html
  • 0
  • 0
  • 0
  • 23h ago
Profile picture
ApplSec @applsec.bsky.social
📣 EMERGENCY UPDATES 📣 Apple pushed updates for 2 new zero-days that may have been actively exploited. 🐛 CVE-2025-14174 (WebKit), 🐛 CVE-2025-43529 (WebKit): - iOS and iPadOS 18.7.3 - iOS and iPadOS 26.2 - macOS Tahoe 26.2 - tvOS 26.2 - visionOS 26.2 - watchOS 26.2 #apple #infosec
  • 2
  • 0
  • 1
  • 8h ago

CVE-2025-55184

Overview

  • Meta
  • react-server-dom-webpack
11 Dec 2025
Published
11 Dec 2025
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.07%
KEV

Description

A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

Statistics

  • 8 Posts
  • 14 Interactions
Last activity: Last hour

Fediverse

Profile picture
cR0w h0 h0 @cR0w

Happy patch your React Server Components again Friday to all who celebrate. The patch for CVE-2025-55184 was incomplete and still leaves systems vulnerable to DoS.

facebook.com/security/advisori

It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

  • 6
  • 6
  • 0
  • 13h ago
Profile picture
Cloudflare @cloudflare

Cloudforce One sees active exploitation of React2Shell, with actors targeting critical infrastructure—including nuclear fuel and uranium operations. Probing is concentrated in Taiwan, Xinjiang, Vietnam, Japan, and New Zealand.

React also disclosed two new vulnerabilities (CVE-2025-55183 and CVE-2025-55184). Cloudflare customers are protected against all three flaws.

Read the full threat brief: blog.cloudflare.com/react2shel

  • 1
  • 1
  • 0
  • 12h ago
Profile picture
Bodo Tasche @bitboxer

It’s time for another round of updates. Sorry folks, this will be a “deploy on friday” day.

vercel.com/kb/bulletin/securit

#React2Shell

  • 0
  • 0
  • 0
  • 21h ago
Profile picture
Offensive Sequence @offseq

🔴 CRITICAL: React Server Components (v19.0.0–19.2.2) hit by unauth'd DoS (CVE-2025-55184/67779) & source leak (CVE-2025-55183). Patch to 19.0.3/1.4/2.3. Audit functions & input! radar.offseq.com/threat/new-re

  • 0
  • 0
  • 0
  • 17h ago
Profile picture
Cybersecurity & cyberwarfare @cybersecurity

React Server: Nuovi bug critici portano a DoS e alla divulgazione del codice sorgente

La saga sulla sicurezza dei componenti di React Server continua questa settimana.

Successivamente alla correzione di una vulnerabilità critica relativa all’esecuzione di codice remoto (RCE) che ha portato a React2shell, sono state individuate dai ricercatori due nuove vulnerabilità. Queste ultime, pur essendo meno gravi delle precedenti, comportano rischi significativi, tra cui la possibilità di attacchi Denial of Service (DoS) che possono causare il crash del server e l’esposizione di codice sorgente sensibile.

Le versioni interessate includono la versione da 19.0.0 a 19.0.2, la versione da 19.1.0 a 19.1.2 e la versione da 19.2.0 a 19.2.2. Si consiglia pertanto agli sviluppatori di aggiornare alle versioni corrette appena rilasciate:

  • 19.0.3
  • 19.1.4
  • 19.2.3

Fondamentalmente, queste vulnerabilità hanno un ampio raggio d’azione.

Basta che l’applicazione sia vulnerabile a certe funzioni del server per essere esposta a potenziali rischi, senza doverle necessariamente utilizzare. “Anche se la tua app non implementa alcun endpoint di React Server Function, potrebbe comunque essere vulnerabile se supporta i React Server Components”, avverteono i ricercatori di sicurezza.

Il problema più urgente, ha una severity CVSS di 7.5, e riguarda una vulnerabilità che può mettere in ginocchio un server. Identificata come CVE-2025-55184 e CVE-2025-67779, questa falla consente a un aggressore di innescare un loop infinito sul server inviando una specifica richiesta HTTP dannosa. Secondo l’avviso, il loop consuma la CPU del server, bloccandone di fatto le risorse.

La seconda vulnerabilità, il CVE-2025-55183 ha una severity CVSS 5.3, è un problema di gravità media che colpisce la riservatezza del codice dell’applicazione. E’ stato rilevato che in specifiche circostanze, una richiesta nociva è in grado di convincere una funzione del server a fornire all’attaccante il proprio codice sorgente. Secondo quanto riportato nell’avviso, un esperto di sicurezza ha riscontrato che l’invio di una richiesta HTTP dannosa a una funzione del server suscettibile di vulnerabilità potrebbe comportare la restituzione non sicura del codice sorgente di qualsiasi funzione del server.

Per eseguire l’attacco, è necessario un particolare modello di codifica, nel quale una funzione lato server esplicitamente o implicitamente espone un parametro come stringa. Qualora venisse sfruttata, potrebbe portare alla scoperta di informazioni cruciali a livello logico o di chiavi del database internamente allegate al codice della funzione.

Il team di React ha confermato esplicitamente che questi nuovi bug non riapriranno la porta al controllo totale del server. “Queste nuove vulnerabilità non consentono l’esecuzione di codice remoto. La patch per React2Shell rimane efficace nel mitigare l’exploit di esecuzione di codice remoto”.

Il team esorta a procedere con urgenza all’aggiornamento, dato che le vulnerabilità scoperte di recente sono di notevole gravità.

L'articolo React Server: Nuovi bug critici portano a DoS e alla divulgazione del codice sorgente proviene da Red Hot Cyber.

  • 0
  • 0
  • 0
  • 20h ago

Bluesky

Profile picture
OpsMatters @opsmatters.com
The latest update for #AikidoSecurity includes "React & Next.js DoS Vulnerability (CVE-2025-55184): What You Need to Fix After React2Shell" and "#OWASP Top 10 for Agentic Applications (2026): What Developers and Security Teams Need to Know". #Cybersecurity #AppSec https://opsmtrs.com/48vGyRP
  • 0
  • 0
  • 0
  • Last hour
Profile picture
Hacker News JP 🤖 @hacker-news-jp.bsky.social
💡 Summary: 2025年12月11日、Reactチームは最近のパッチ適用後に新たに発見されたReact Server Componentsの脆弱性を公表しました。これには、悪意のあるリクエストによってサーバーのハングを引き起こす高リスクのサービス拒否(Denial of Service、CVE-2025-55184、67779)や、サーバーの関数ソースコードを漏洩させる可能性のある中リスクのソースコード露出(CVE-2025-55183)が含まれます。既存のパッチは不完全であり、ユーザーは直ちに修正版(19.0.3、19.1.4、 (1/3)
  • 0
  • 0
  • 0
  • 5h ago
Profile picture
Peter @peterrobards.bsky.social
Two new React Server Components vulnerabilities have been discovered: - Denial of Service (High): CVE-2025-55184 -> CVE-2025-67779 - Source Code Exposure (Medium): CVE-2025-55183 If you previously updated to 19.0.2, 19.1.3, or 19.2.2, those patches were incomplete & you will need to update again!
  • 0
  • 0
  • 0
  • 22h ago

CVE-2025-55183

Overview

  • Meta
  • react-server-dom-webpack
11 Dec 2025
Published
11 Dec 2025
Updated
CVSS v3.1
MEDIUM (5.3)
EPSS
0.06%
KEV

Description

An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.

Statistics

  • 8 Posts
  • 3 Interactions
Last activity: 5 hours ago

Fediverse

Profile picture
Cloudflare @cloudflare

Cloudforce One sees active exploitation of React2Shell, with actors targeting critical infrastructure—including nuclear fuel and uranium operations. Probing is concentrated in Taiwan, Xinjiang, Vietnam, Japan, and New Zealand.

React also disclosed two new vulnerabilities (CVE-2025-55183 and CVE-2025-55184). Cloudflare customers are protected against all three flaws.

Read the full threat brief: blog.cloudflare.com/react2shel

  • 1
  • 1
  • 0
  • 12h ago
Profile picture
Bodo Tasche @bitboxer

It’s time for another round of updates. Sorry folks, this will be a “deploy on friday” day.

vercel.com/kb/bulletin/securit

#React2Shell

  • 0
  • 0
  • 0
  • 21h ago
Profile picture
Offensive Sequence @offseq

🔴 CRITICAL: React Server Components (v19.0.0–19.2.2) hit by unauth'd DoS (CVE-2025-55184/67779) & source leak (CVE-2025-55183). Patch to 19.0.3/1.4/2.3. Audit functions & input! radar.offseq.com/threat/new-re

  • 0
  • 0
  • 0
  • 17h ago
Profile picture
Cybersecurity & cyberwarfare @cybersecurity

React Server: Nuovi bug critici portano a DoS e alla divulgazione del codice sorgente

La saga sulla sicurezza dei componenti di React Server continua questa settimana.

Successivamente alla correzione di una vulnerabilità critica relativa all’esecuzione di codice remoto (RCE) che ha portato a React2shell, sono state individuate dai ricercatori due nuove vulnerabilità. Queste ultime, pur essendo meno gravi delle precedenti, comportano rischi significativi, tra cui la possibilità di attacchi Denial of Service (DoS) che possono causare il crash del server e l’esposizione di codice sorgente sensibile.

Le versioni interessate includono la versione da 19.0.0 a 19.0.2, la versione da 19.1.0 a 19.1.2 e la versione da 19.2.0 a 19.2.2. Si consiglia pertanto agli sviluppatori di aggiornare alle versioni corrette appena rilasciate:

  • 19.0.3
  • 19.1.4
  • 19.2.3

Fondamentalmente, queste vulnerabilità hanno un ampio raggio d’azione.

Basta che l’applicazione sia vulnerabile a certe funzioni del server per essere esposta a potenziali rischi, senza doverle necessariamente utilizzare. “Anche se la tua app non implementa alcun endpoint di React Server Function, potrebbe comunque essere vulnerabile se supporta i React Server Components”, avverteono i ricercatori di sicurezza.

Il problema più urgente, ha una severity CVSS di 7.5, e riguarda una vulnerabilità che può mettere in ginocchio un server. Identificata come CVE-2025-55184 e CVE-2025-67779, questa falla consente a un aggressore di innescare un loop infinito sul server inviando una specifica richiesta HTTP dannosa. Secondo l’avviso, il loop consuma la CPU del server, bloccandone di fatto le risorse.

La seconda vulnerabilità, il CVE-2025-55183 ha una severity CVSS 5.3, è un problema di gravità media che colpisce la riservatezza del codice dell’applicazione. E’ stato rilevato che in specifiche circostanze, una richiesta nociva è in grado di convincere una funzione del server a fornire all’attaccante il proprio codice sorgente. Secondo quanto riportato nell’avviso, un esperto di sicurezza ha riscontrato che l’invio di una richiesta HTTP dannosa a una funzione del server suscettibile di vulnerabilità potrebbe comportare la restituzione non sicura del codice sorgente di qualsiasi funzione del server.

Per eseguire l’attacco, è necessario un particolare modello di codifica, nel quale una funzione lato server esplicitamente o implicitamente espone un parametro come stringa. Qualora venisse sfruttata, potrebbe portare alla scoperta di informazioni cruciali a livello logico o di chiavi del database internamente allegate al codice della funzione.

Il team di React ha confermato esplicitamente che questi nuovi bug non riapriranno la porta al controllo totale del server. “Queste nuove vulnerabilità non consentono l’esecuzione di codice remoto. La patch per React2Shell rimane efficace nel mitigare l’exploit di esecuzione di codice remoto”.

Il team esorta a procedere con urgenza all’aggiornamento, dato che le vulnerabilità scoperte di recente sono di notevole gravità.

L'articolo React Server: Nuovi bug critici portano a DoS e alla divulgazione del codice sorgente proviene da Red Hot Cyber.

  • 0
  • 0
  • 0
  • 20h ago
Profile picture
Tim Severien @timsev

Remote server execution, denial of service vulnerability, and source code leak, whoever works on React Server Components isn't having a great time.

If you haven't already: upgrade asap.

cve.org/CVERecord?id=CVE-2025-
cve.org/CVERecord?id=CVE-2025-
cve.org/CVERecord?id=CVE-2025-

  • 0
  • 0
  • 0
  • 15h ago

Bluesky

Profile picture
UndercodeTesting @undercode.bsky.social
Bypassing Cloudflare Walls: The React/Nextjs Source Code Leak (CVE-2025-55183) Exposed + Video Introduction: A critical vulnerability in React and Next.js applications, identified as CVE-2025-55183, has emerged, enabling threat actors to exfiltrate application source code. This flaw is…
  • 0
  • 1
  • 0
  • 10h ago
Profile picture
Hacker News JP 🤖 @hacker-news-jp.bsky.social
💡 Summary: 2025年12月11日、Reactチームは最近のパッチ適用後に新たに発見されたReact Server Componentsの脆弱性を公表しました。これには、悪意のあるリクエストによってサーバーのハングを引き起こす高リスクのサービス拒否(Denial of Service、CVE-2025-55184、67779)や、サーバーの関数ソースコードを漏洩させる可能性のある中リスクのソースコード露出(CVE-2025-55183)が含まれます。既存のパッチは不完全であり、ユーザーは直ちに修正版(19.0.3、19.1.4、 (1/3)
  • 0
  • 0
  • 0
  • 5h ago
Profile picture
Peter @peterrobards.bsky.social
Two new React Server Components vulnerabilities have been discovered: - Denial of Service (High): CVE-2025-55184 -> CVE-2025-67779 - Source Code Exposure (Medium): CVE-2025-55183 If you previously updated to 19.0.2, 19.1.3, or 19.2.2, those patches were incomplete & you will need to update again!
  • 0
  • 0
  • 0
  • 22h ago

CVE-2025-54100

Overview

  • Microsoft
  • Windows 10 Version 1809
09 Dec 2025
Published
12 Dec 2025
Updated
CVSS v3.1
HIGH (7.8)
EPSS
0.16%
KEV

Description

Improper neutralization of special elements used in a command ('command injection') in Windows PowerShell allows an unauthorized attacker to execute code locally.

Statistics

  • 3 Posts
  • 5 Interactions
Last activity: 12 hours ago

Fediverse

Profile picture
knoppix @knoppix95

PowerShell 5.1 now shows warnings when scripts use Invoke-WebRequest to fetch web content, aiming to limit silent script execution risks tied to CVE-2025-54100. ⚠️

Admins are urged to switch to -UseBasicParsing to avoid unintended code parsing and prevent automation hang-ups. 🛡️

🔗 bleepingcomputer.com/news/secu

#TechNews #Cybersecurity #Windows #PowerShell #Security #Privacy #InfoSec #Patch #Update #Automation #IT #DevOps #Risk #Technology #Development #Shell #Script #CVE #Vulnerability

  • 2
  • 3
  • 0
  • 12h ago
Profile picture
Cybersecurity & cyberwarfare @cybersecurity

Vulnerabilità di sicurezza in PowerShell: Una nuova Command Injection su Windows

Un aggiornamento di sicurezza urgente è stato rilasciato per risolvere una vulnerabilità critica in Windows PowerShell, che permette agli aggressori di eseguire codice malevolo sui sistemi colpiti. Questa falla di sicurezza, catalogata come CVE-2025-54100, è stata divulgata il 9 dicembre 2025 e costituisce una minaccia considerevole per l’integrità dei sistemi informatici a livello globale.

Microsoft classifica la vulnerabilità come importante, con un punteggio di gravità CVSS di 7,8. La debolezza, identificata come CWE-77, si riferisce alla neutralizzazione impropria di elementi speciali impiegati negli attacchi di iniezione di comandi.

Microsoft considera remota la possibilità che questa vulnerabilità venga sfruttata in attacchi reali. La vulnerabilità è stata già divulgata pubblicamente. Gli aggressori devono disporre di accesso locale e dell’intervento dell’utente per eseguire l’attacco, pertanto sono costretti a cercare di indurre gli utenti ad aprire file dannosi o eseguire comandi sospetti.

Patch di sicurezza sono state rilasciate da Microsoft su diverse piattaforme. È fondamentale che le organizzazioni che operano con Windows Server 2025, Windows 11 nelle versioni 24H2 e 25H2, e Windows Server 2022, procedano con l’applicazione delle patch mediante KB5072033 o KB5074204, dando priorità all’aggiornamento.

Il difetto si verifica quando elementi speciali in Windows PowerShell vengono neutralizzati in modo improprio durante gli attacchi di iniezione di comandi. Ciò permette ad aggressori non autorizzati di eseguire codice arbitrario localmente tramite comandi appositamente predisposti.

Microsoft consiglia di utilizzare l’opzione UseBasicParsing per impedire l’esecuzione di codice script dal contenuto Web. Inoltre, le organizzazioni dovrebbero implementare le linee guida contenute nell’articolo KB5074596 in merito alle misure di sicurezza di PowerShell 5.1 per mitigare i rischi legati all’esecuzione degli script.

La vulnerabilità colpisce un’ampia gamma di sistemi operativi Windows, tra cui Windows 10, Windows 11, Windows Server 2008 fino alla versione 2025 e varie configurazioni di sistema. Gli utenti che utilizzano Windows 10 e versioni precedenti necessitano di aggiornamenti separati, come KB5071546 o KB5071544.

L'articolo Vulnerabilità di sicurezza in PowerShell: Una nuova Command Injection su Windows proviene da Red Hot Cyber.

  • 0
  • 0
  • 0
  • 20h ago

Bluesky

Profile picture
MSXFAQ (Frank Carius) @msxfaq.de
#MSXFAQ PowerShell als HTTP-Client www.msxfaq.de/powershell/p... - KB5074596 bricht Invoke-WebRequest als Fix gegen CVE-2025-54100. Wer in Skripten so Informationen abruft und kein "-useBasicParsing" nutzt, muss den Abruf bestätigen. Bitte prüft eure Automatisierungsskripte ehe sie blockiert werden.
  • 0
  • 0
  • 0
  • 14h ago

CVE-2025-58360

Overview

  • geoserver
  • geoserver
25 Nov 2025
Published
12 Dec 2025
Updated
CVSS v3.1
HIGH (8.2)
EPSS
73.17%
KEV

Description

GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0.

Statistics

  • 4 Posts
Last activity: 18 hours ago

Fediverse

Profile picture
leakix @leakix

🚨 New plugin: GeoserverXxePlugin (CVE-2025-58360).

GeoServer XXE vulnerability detection - XML External Entity injection in WMS GetMap operation, added to CISA KEV catalog.

Results: leakix.net/search?q=%2Bplugin%

  • 0
  • 0
  • 1
  • 18h ago

Bluesky

Profile picture
piggo @pigondrugs.bsky.social
~Cisa~ CISA added the actively exploited OSGeo GeoServer XXE vulnerability (CVE-2025-58360) to its KEV catalog. - IOCs: CVE-2025-58360 - #CVE202558360 #GeoServer #ThreatIntel
  • 0
  • 0
  • 0
  • 23h ago
Profile picture
Information Security Briefly @infosecbriefly.bsky.social
CVE-2025-58360 is an unauthenticated XXE in OSGeo GeoServer being exploited in the wild; affected versions require immediate patching to prevent file access, SSRF, and DoS.
  • 0
  • 0
  • 0
  • 22h ago

CVE-2025-43529

Overview

  • Pending
Pending
Published
Pending
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 5 Posts
  • 18 Interactions
Last activity: 7 hours ago

Fediverse

Profile picture
ApplSec @applsec

📣 EMERGENCY UPDATES 📣

Apple pushed additional updates for 2 zero-days that may have been actively exploited.

🐛 CVE-2025-14174 (WebKit) additional patches,
🐛 CVE-2025-43529 (WebKit) additional patches:
- Safari 26.2

  • 6
  • 5
  • 1
  • 7h ago
Profile picture
cR0w h0 h0 @cR0w

Two EITW 0days patched in iOS Webkit. The advisory says the exploits were against pre-iOS 26 but they have patches for 26 as well. And some other ones to go with those.

support.apple.com/en-us/125884

Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 was also issued in response to this report.

Processing maliciously crafted web content may lead to memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-43529 was also issued in response to this report.

  • 2
  • 3
  • 0
  • 7h ago

Bluesky

Profile picture
ApplSec @applsec.bsky.social
📣 EMERGENCY UPDATES 📣 Apple pushed updates for 2 new zero-days that may have been actively exploited. 🐛 CVE-2025-14174 (WebKit), 🐛 CVE-2025-43529 (WebKit): - iOS and iPadOS 18.7.3 - iOS and iPadOS 26.2 - macOS Tahoe 26.2 - tvOS 26.2 - visionOS 26.2 - watchOS 26.2 #apple #infosec
  • 2
  • 0
  • 1
  • 8h ago

CVE-2025-66430

Overview

  • Pending
12 Dec 2025
Published
12 Dec 2025
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

Plesk 18.0 has Incorrect Access Control.

Statistics

  • 2 Posts
  • 1 Interaction
Last activity: 2 hours ago

Fediverse

Profile picture
cR0w h0 h0 @cR0w

I think I already posted this one but the CVE was just published so go hack more Plesk shit anyway.

support.plesk.com/hc/en-us/art

  • 0
  • 1
  • 0
  • 10h ago
Profile picture
Offensive Sequence @offseq

🔔 CRITICAL: Plesk 18.0 (CVE-2025-66430) suffers from incorrect access control, risking unauthorized admin actions. No exploit yet, but review roles, restrict access, and monitor logs ASAP. Patch pending. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 2h ago

CVE-2025-14611

Overview

  • Gladinet
  • CentreStack and TrioFox
12 Dec 2025
Published
12 Dec 2025
Updated
CVSS v4.0
HIGH (7.1)
EPSS
Pending
KEV

Description

Gladinet CentreStack and Triofox prior to version 16.12.10420.56791 used hardcoded values for their implementation of the AES cryptoscheme. This degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted request without authentication. This opens the door for future exploitation and can be leveraged with previous vulnerabilities to gain a full system compromise.

Statistics

  • 2 Posts
Last activity: 1 hour ago

Fediverse

Profile picture
cR0w h0 h0 @cR0w

There's now a CVE for the EITW Gladinet / Triofox hardcoded key vuln from a few days ago.

huntress.com/blog/active-explo

cve.org/CVERecord?id=CVE-2025-

  • 0
  • 0
  • 0
  • 6h ago
Profile picture
Offensive Sequence @offseq

🔎 HIGH severity: CVE-2025-14611 in Gladinet CentreStack & TrioFox (<16.12.10420.56791) — hardcoded AES weakens crypto & enables unauth LFI. Restrict public access, monitor for LFI attempts, prep for patch. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 1h ago

CVE-2025-67779

Overview

  • Meta
  • react-server-dom-parcel
11 Dec 2025
Published
12 Dec 2025
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.04%
KEV

Description

It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

Statistics

  • 4 Posts
  • 12 Interactions
Last activity: 13 hours ago

Fediverse

Profile picture
cR0w h0 h0 @cR0w

Happy patch your React Server Components again Friday to all who celebrate. The patch for CVE-2025-55184 was incomplete and still leaves systems vulnerable to DoS.

facebook.com/security/advisori

It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

  • 6
  • 6
  • 0
  • 13h ago
Profile picture
Cybersecurity & cyberwarfare @cybersecurity

React Server: Nuovi bug critici portano a DoS e alla divulgazione del codice sorgente

La saga sulla sicurezza dei componenti di React Server continua questa settimana.

Successivamente alla correzione di una vulnerabilità critica relativa all’esecuzione di codice remoto (RCE) che ha portato a React2shell, sono state individuate dai ricercatori due nuove vulnerabilità. Queste ultime, pur essendo meno gravi delle precedenti, comportano rischi significativi, tra cui la possibilità di attacchi Denial of Service (DoS) che possono causare il crash del server e l’esposizione di codice sorgente sensibile.

Le versioni interessate includono la versione da 19.0.0 a 19.0.2, la versione da 19.1.0 a 19.1.2 e la versione da 19.2.0 a 19.2.2. Si consiglia pertanto agli sviluppatori di aggiornare alle versioni corrette appena rilasciate:

  • 19.0.3
  • 19.1.4
  • 19.2.3

Fondamentalmente, queste vulnerabilità hanno un ampio raggio d’azione.

Basta che l’applicazione sia vulnerabile a certe funzioni del server per essere esposta a potenziali rischi, senza doverle necessariamente utilizzare. “Anche se la tua app non implementa alcun endpoint di React Server Function, potrebbe comunque essere vulnerabile se supporta i React Server Components”, avverteono i ricercatori di sicurezza.

Il problema più urgente, ha una severity CVSS di 7.5, e riguarda una vulnerabilità che può mettere in ginocchio un server. Identificata come CVE-2025-55184 e CVE-2025-67779, questa falla consente a un aggressore di innescare un loop infinito sul server inviando una specifica richiesta HTTP dannosa. Secondo l’avviso, il loop consuma la CPU del server, bloccandone di fatto le risorse.

La seconda vulnerabilità, il CVE-2025-55183 ha una severity CVSS 5.3, è un problema di gravità media che colpisce la riservatezza del codice dell’applicazione. E’ stato rilevato che in specifiche circostanze, una richiesta nociva è in grado di convincere una funzione del server a fornire all’attaccante il proprio codice sorgente. Secondo quanto riportato nell’avviso, un esperto di sicurezza ha riscontrato che l’invio di una richiesta HTTP dannosa a una funzione del server suscettibile di vulnerabilità potrebbe comportare la restituzione non sicura del codice sorgente di qualsiasi funzione del server.

Per eseguire l’attacco, è necessario un particolare modello di codifica, nel quale una funzione lato server esplicitamente o implicitamente espone un parametro come stringa. Qualora venisse sfruttata, potrebbe portare alla scoperta di informazioni cruciali a livello logico o di chiavi del database internamente allegate al codice della funzione.

Il team di React ha confermato esplicitamente che questi nuovi bug non riapriranno la porta al controllo totale del server. “Queste nuove vulnerabilità non consentono l’esecuzione di codice remoto. La patch per React2Shell rimane efficace nel mitigare l’exploit di esecuzione di codice remoto”.

Il team esorta a procedere con urgenza all’aggiornamento, dato che le vulnerabilità scoperte di recente sono di notevole gravità.

L'articolo React Server: Nuovi bug critici portano a DoS e alla divulgazione del codice sorgente proviene da Red Hot Cyber.

  • 0
  • 0
  • 0
  • 20h ago
Profile picture
Tim Severien @timsev

Remote server execution, denial of service vulnerability, and source code leak, whoever works on React Server Components isn't having a great time.

If you haven't already: upgrade asap.

cve.org/CVERecord?id=CVE-2025-
cve.org/CVERecord?id=CVE-2025-
cve.org/CVERecord?id=CVE-2025-

  • 0
  • 0
  • 0
  • 15h ago

Bluesky

Profile picture
Peter @peterrobards.bsky.social
Two new React Server Components vulnerabilities have been discovered: - Denial of Service (High): CVE-2025-55184 -> CVE-2025-67779 - Source Code Exposure (Medium): CVE-2025-55183 If you previously updated to 19.0.2, 19.1.3, or 19.2.2, those patches were incomplete & you will need to update again!
  • 0
  • 0
  • 0
  • 22h ago
Showing 1 to 10 of 50 CVEs