There is an unauthenticated remote code execution vulnerability in React Server Components.

Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.

If your app’s React code does not use a server, your app is not affected by this vulnerability.

CVE-2025-55182

Mastodon server not impacted btw.

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

There's an epic react server component RCE exploit making the rounds today.

A proof of concept just dropped. Probably wanna patch this rapidly.

https://github.com/ejpir/CVE-2025-55182-poc/tree/main

#React #Javascript #Cybersecurity #breaking

There is currently an incident at work due to the remote code execution vulnerability in React (see CVE-2025-55182).

Co-worker: How long will it take to patch the dev server UI?
Me: It's not affected.
Co-worker: How can it not be affected if it uses React?
Me:

RCE in React Server Components, impacting React and Next.js. I usually don't say this, but patch right freakin' now. The React CVE listing (CVE-2025-55182) is a perfect 10.

https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
https://nextjs.org/blog/CVE-2025-66478

Oh Hell yeah. Perfect 10 in React Server Components. 🥳

https://www.facebook.com/security/advisories/cve-2025-55182

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

"We did a number of refactors [...] This also fixes a critical security vulnerability." 👀

CVE-2025-55182, an RCE in React Server Components just landed:

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Enjoy your patching, and make sure to check your bundled frameworks and dependencies.

Here's the commit:
https://github.com/facebook/react/commit/7dc903cd29dac55efb4424853fd0442fef3a8700

For interested folks, here’s the React PR that fixes CVE-2025-55182 affecting React Server Components (CVSS 10.0 Critical Severity): https://github.com/facebook/react/pull/35277

Blog post: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

> Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.

39% of Cloud instances need to patch urgently for 100% reliable unauthenticated RCE in React and Next.js

https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182

Cloudflare offers protection against a new high profile vulnerability for React Server Components: CVE-2025-55182. All customers with WAF enabled are automatically protected. https://blog.cloudflare.com/waf-rules-react-vulnerability/

Use javascript for everything, they said... it'll be fine, they said...

https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182

https://www.facebook.com/security/advisories/cve-2025-55182

#React #CVE #javascript

This seems bad:

https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182

https://www.aikido.dev/blog/react-nextjs-cve-2025-55182-rce

Right?

#Cybersecurity #Infosec #Vulnerabilities #CVE_202555182

A #criticalsecurityflaw (CVE-2025-55182) in #ReactServerComponents (#RSC) allows unauthenticated remote code execution. The vulnerability, impacting #React and #Nextjs, stems from unsafe payload processing and affects multiple versions of various packages. Users are advised to apply the available #patches immediately. https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html?eicker.news #tech #media #news

Yikes. I always hate the damn red alert anxiety feeling I get when I read articles like the one linked. Its always that time between when something is publically disclosed, and when all packages and dependencies are patched an upgraded when likelihood of attack is highest, and obviously most possible. These two perfect 10/10 CVEs sure look like a doozy. No doubt hundreds of thousands of major things depend on these other major things, and likely hundreds of thousands of more things include them as dependencies or resource-wasting function packs, regardless of whether or not they are actually needed, and even some software puts these components in the chain, even when they're not actively being used.
And the exploit, with nearly 100% success-rate on all affected systems? A simple specially-crafted HTTP request.
https://www.aikido.dev/blog/react-nextjs-cve-2025-55182-rce

LoL. Yep, my first thought is that this new React vuln is going to generate a lot of IR business. I am going to hell.

https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182

@Weld I see this blog post from them: https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182

https://winbuzzer.com/2025/12/03/severe-react-server-components-flaw-exposes-millions-of-apps-and-websites-xcxwbn/

Severe React Server Components Flaw Exposes Millions of Apps and Websites

#Security #Cybersecurity #React #NextJS #RCE #CloudSecurity #Vulnerability #DevOps #WebDev #Meta #Vercel #CVE202555182 #SoftwareEngineering

Do you use react? If so, you might want to update. See https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182

As vulnerabilities go, a 10 is as bad as it gets. If you use #React or one of its derivatives (e.g., #Nextjs) you should upgrade Right. Now.

https://www.cve.org/CVERecord?id=CVE-2025-55182

⚠️ CRITICAL RCE in React Server Components & Next.js (CVE-2025-55182, CVSS 10.0): Unauthenticated attackers can execute code via unsafe deserialization. Patch React & Next.js now! Details: https://radar.offseq.com/threat/critical-rsc-bugs-in-react-and-nextjs-allow-unauth-4e911b0c #OffSeq #ReactJS #NextJS #RCE #InfoSec

Ouch...

https://www.cve.org/CVERecord?id=CVE-2025-55182

#react

@MoritzGlantz https://www.cve.org/CVERecord?id=CVE-2025-55182 React Server Gedöns

🚨 CVE-2025-55182: CRITICAL React RCE risk for apps using a new feature. No patch yet; exploitation expected. Audit your React usage, enhance monitoring, and prep mitigations now. EU orgs at high risk! https://radar.offseq.com/threat/react2shell-in-the-wild-exploitation-expected-for--b4d27fa6 #OffSeq #ReactJS #RCE #Vulnerability

A public service announcement regarding CVEs: one identified vulnerability gets one #CVE.

Each vendor doesn't get their own CVE that corresponds to their security bulletin.

CVE-2025-66478 is REJECTED as duplicate of CVE-2025-55182

#CVE_2025_66478 #CVE_2025_55182 #React #RCE #InfoSec

https://www.cve.org/CVERecord?id=CVE-2025-66478

A maximum-severity security flaw has been disclosed in React Server Components (RSC) that, if successfully exploited, could result in remote code execution.

The vulnerability, tracked as CVE-2025-55182, carries a CVSS score of 10.0.

The vulnerability impacts versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of the following npm packages -

• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack

It's worth noting that the vulnerability also affects Next.js using App Router. The issue has been assigned the CVE identifier CVE-2025-66478 (CVSS score: 10.0). It impacts versions >=14.3.0-canary.77, >=15, and >=16. Patched versions are 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, and 15.0.5.

https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html

#REACTjs #NEXTjs #infosec #cybersecurity #CVE202566478 #CVE202555182 #ShitIsOnFireYo

Happy Holidays Everyone!

https://www.upwind.io/feed/critical-security-alert-unauthenticated-rce-in-react-next-js-cve-2025-55182-cve-2025-66478

#cybersecurity #vulnerability #cve

⚠️ Critical RCE Vulnerabilities Discovered in React & Next.js | Wiz Blog

｢ Wiz data indicates that 39% of cloud environments contain instances of Next.js or React in versions vulnerable to CVE-2025-55182 and/or CVE-2025-66478. Regarding Next.js, the framework itself is present in 69% of environments. Notably, 61% of those environments have public applications running Next.js, meaning that 44% of all cloud environments have publicly exposed Next.js instances ｣

https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182

RCE in React Server Components, impacting React and Next.js. I usually don't say this, but patch right freakin' now. The React CVE listing (CVE-2025-55182) is a perfect 10.

https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
https://nextjs.org/blog/CVE-2025-66478

@GossiTheDog Worth mentioning that Next.js appears affected 15.x and 16.x.

https://nextjs.org/blog/CVE-2025-66478

A public service announcement regarding CVEs: one identified vulnerability gets one #CVE.

Each vendor doesn't get their own CVE that corresponds to their security bulletin.

CVE-2025-66478 is REJECTED as duplicate of CVE-2025-55182

#CVE_2025_66478 #CVE_2025_55182 #React #RCE #InfoSec

https://www.cve.org/CVERecord?id=CVE-2025-66478

A maximum-severity security flaw has been disclosed in React Server Components (RSC) that, if successfully exploited, could result in remote code execution.

The vulnerability, tracked as CVE-2025-55182, carries a CVSS score of 10.0.

The vulnerability impacts versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of the following npm packages -

• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack

It's worth noting that the vulnerability also affects Next.js using App Router. The issue has been assigned the CVE identifier CVE-2025-66478 (CVSS score: 10.0). It impacts versions >=14.3.0-canary.77, >=15, and >=16. Patched versions are 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, and 15.0.5.

https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html

#REACTjs #NEXTjs #infosec #cybersecurity #CVE202566478 #CVE202555182 #ShitIsOnFireYo

Happy Holidays Everyone!

https://www.upwind.io/feed/critical-security-alert-unauthenticated-rce-in-react-next-js-cve-2025-55182-cve-2025-66478

#cybersecurity #vulnerability #cve

⚠️ Critical RCE Vulnerabilities Discovered in React & Next.js | Wiz Blog

｢ Wiz data indicates that 39% of cloud environments contain instances of Next.js or React in versions vulnerable to CVE-2025-55182 and/or CVE-2025-66478. Regarding Next.js, the framework itself is present in 69% of environments. Notably, 61% of those environments have public applications running Next.js, meaning that 44% of all cloud environments have publicly exposed Next.js instances ｣

https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182

Update: Mit dem November-Update 2025 veröffentlichte Microsoft einen "Nicht-Patch-Patch". Recht lautlos wurde der Umgang von Windows mit den *lnk-Dateien geändert, wohl mit dem Ziel, die Sicherheitslücke CVE-2025-9491 zu schließen.

Mehr: https://maniabel.work/archiv/401

#infosec #infosecnews #lnkfiles #malware #zeroday #BeDiS

Une faille zero-day Windows associée aux fichiers LNK a été atténuée discrètement par Microsoft https://www.it-connect.fr/windows-zero-day-fichiers-lnk-cve-2025-9491-attenuation-microsoft/ #ActuCybersécurité #Cybersécurité #Vulnérabilité #Microsoft #Windows

Critical WordPress plugin flaw alert — CVE-2025-8489 (King Addons for Elementor) is being widely exploited.

The vulnerability allowed unauthenticated attackers to assign themselves administrator roles, leading to complete site compromise.

Defiant’s telemetry shows nearly 50,000 exploitation attempts.
If you’re managing WordPress infrastructure, verifying plugin versions and reviewing registration logs is strongly recommended.

Source: https://www.securityweek.com/critical-king-addons-vulnerability-exploited-to-hack-wordpress-sites/

💬 What mitigation practices do you use to reduce plugin-related risks?
🔁 Follow for unbiased security updates.

#Infosec #WordPressSecurity #CVE20258489 #ThreatIntel #KingAddons #Elementor #WebSecurity

⚠️ Active exploit: CRITICAL flaw in King Addons for Elementor (WordPress) lets unauth attackers register as admins (CVE-2025-8489). Patch to 51.1.35+ ASAP, audit admin accounts, monitor /wp-admin/admin-ajax.php. https://radar.offseq.com/threat/wordpress-king-addons-flaw-under-active-attack-let-7dd87bc3 #OffSeq #WordPress #infosec #vuln

Sure CISA says (today) CVE-2021-26828 OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability is rly bad and being actively exploited by real attackers, but WILL MY TEAM DO THAT?! Nope. They're part of the celebrity vuln. cult.

Hold up.

Wait a minute.

Something ain't right.

https://community.openvpn.net/Security%20Announcements/CVE-2025-13086

Improper validation of source IP addresses in OpenVPN version 2.6.0 through 2.7_rc1 allows an attacker to open a session from a different IP address which did not initiate the connection resulting in a denial of service for the originating client.

And there's F5 again. Publishing impact to some of their shit by CVE-2019-8457. Yes, that CVE was published on 30 May 2019 and F5 is just now publishing an advisory for it. And there is impact.

https://my.f5.com/manage/s/article/K000158050

CISA has added two Android Framework 0-days (CVE-2025-48572 & CVE-2025-48633) to the KEV list, confirming active exploitation.

Together, they enable privilege escalation and information disclosure, forming a potentially complete compromise path for targeted devices.

Federal agencies have a December 23 patch deadline, and wider organizations are encouraged to roll out updates and monitor for related indicators.

💬 Mobile ecosystems remain a critical attack surface - what best practices have worked for your teams?

Source: https://cybersecuritynews.com/android-0-day-vulnerability-exploited/

Follow us for ongoing vulnerability and threat intelligence updates.

#Cybersecurity #AndroidSecurity #KEV #CISA #ZeroDay #MobileThreats #ThreatIntel #Infosec #SecurityUpdates #DeviceSecurity

CISA has added two Android Framework 0-days (CVE-2025-48572 & CVE-2025-48633) to the KEV list, confirming active exploitation.

Together, they enable privilege escalation and information disclosure, forming a potentially complete compromise path for targeted devices.

Federal agencies have a December 23 patch deadline, and wider organizations are encouraged to roll out updates and monitor for related indicators.

💬 Mobile ecosystems remain a critical attack surface - what best practices have worked for your teams?

Source: https://cybersecuritynews.com/android-0-day-vulnerability-exploited/

Follow us for ongoing vulnerability and threat intelligence updates.

#Cybersecurity #AndroidSecurity #KEV #CISA #ZeroDay #MobileThreats #ThreatIntel #Infosec #SecurityUpdates #DeviceSecurity

Go hack more Plesk shit.

https://support.plesk.com/hc/en-us/articles/36494997377687--CVE-2025-66431-Security-vulnerability-in-domain-creation-mechanism-allows-Plesk-users-to-execute-arbitrary-code-on-behalf-of-root