There is an unauthenticated remote code execution vulnerability in React Server Components.

Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.

If your app’s React code does not use a server, your app is not affected by this vulnerability.

CVE-2025-55182

Mastodon server not impacted btw.

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

RCE in React Server Components, impacting React and Next.js. I usually don't say this, but patch right freakin' now. The React CVE listing (CVE-2025-55182) is a perfect 10.

https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
https://nextjs.org/blog/CVE-2025-66478

Oh Hell yeah. Perfect 10 in React Server Components. 🥳

https://www.facebook.com/security/advisories/cve-2025-55182

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

"We did a number of refactors [...] This also fixes a critical security vulnerability." 👀

CVE-2025-55182, an RCE in React Server Components just landed:

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Enjoy your patching, and make sure to check your bundled frameworks and dependencies.

Here's the commit:
https://github.com/facebook/react/commit/7dc903cd29dac55efb4424853fd0442fef3a8700

For interested folks, here’s the React PR that fixes CVE-2025-55182 affecting React Server Components (CVSS 10.0 Critical Severity): https://github.com/facebook/react/pull/35277

Blog post: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

> Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.

This seems bad:

https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182

https://www.aikido.dev/blog/react-nextjs-cve-2025-55182-rce

Right?

#Cybersecurity #Infosec #Vulnerabilities #CVE_202555182

Cloudflare offers protection against a new high profile vulnerability for React Server Components: CVE-2025-55182. All customers with WAF enabled are automatically protected. https://blog.cloudflare.com/waf-rules-react-vulnerability/

@Weld I see this blog post from them: https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182

Do you use react? If so, you might want to update. See https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182

CISA has added two vulnerabilities to the KEV Catalog:

CVE-2025-48633: Android Framework Information Disclosure Vulnerability

CVE-2025-48572: Android Framework Privilege Escalation Vulnerability

https://darkwebinformer.com/cisa-kev-catalog/

CISA has added two Android Framework 0-days (CVE-2025-48572 & CVE-2025-48633) to the KEV list, confirming active exploitation.

Together, they enable privilege escalation and information disclosure, forming a potentially complete compromise path for targeted devices.

Federal agencies have a December 23 patch deadline, and wider organizations are encouraged to roll out updates and monitor for related indicators.

💬 Mobile ecosystems remain a critical attack surface - what best practices have worked for your teams?

Source: https://cybersecuritynews.com/android-0-day-vulnerability-exploited/

Follow us for ongoing vulnerability and threat intelligence updates.

#Cybersecurity #AndroidSecurity #KEV #CISA #ZeroDay #MobileThreats #ThreatIntel #Infosec #SecurityUpdates #DeviceSecurity

CISA has added two vulnerabilities to the KEV Catalog:

CVE-2025-48633: Android Framework Information Disclosure Vulnerability

CVE-2025-48572: Android Framework Privilege Escalation Vulnerability

https://darkwebinformer.com/cisa-kev-catalog/

CISA has added two Android Framework 0-days (CVE-2025-48572 & CVE-2025-48633) to the KEV list, confirming active exploitation.

Together, they enable privilege escalation and information disclosure, forming a potentially complete compromise path for targeted devices.

Federal agencies have a December 23 patch deadline, and wider organizations are encouraged to roll out updates and monitor for related indicators.

💬 Mobile ecosystems remain a critical attack surface - what best practices have worked for your teams?

Source: https://cybersecuritynews.com/android-0-day-vulnerability-exploited/

Follow us for ongoing vulnerability and threat intelligence updates.

#Cybersecurity #AndroidSecurity #KEV #CISA #ZeroDay #MobileThreats #ThreatIntel #Infosec #SecurityUpdates #DeviceSecurity

Always look at the credits in CVE records, they’re full of insightful details.

I particularly enjoyed this one. By the way, in Vulnerability Lookup we also have a nice display of the actual credits: finder, coordinator, and so on.

🔗 https://vulnerability.circl.lu/vuln/cve-2025-13658

"A vulnerability in Longwatch devices allows unauthenticated HTTP GET requests to execute arbitrary code via an exposed endpoint, due to the absence of code signing and execution controls. Exploitation results in SYSTEM-level privileges.
"

#cve #gcve #vulnerability #vulnerabilitymanagement

⚠️ CRITICAL: CVE-2025-13658 hits Industrial Video & Control Longwatch v6.309 — remote unauthenticated code execution via HTTP GET grants SYSTEM privileges. No patch yet. Segment, restrict access, monitor traffic. Full advisory: https://radar.offseq.com/threat/cve-2025-13658-cwe-94-improper-control-of-generati-128a847f #OffSeq #OTSecurity #CVE2025

RCE in React Server Components, impacting React and Next.js. I usually don't say this, but patch right freakin' now. The React CVE listing (CVE-2025-55182) is a perfect 10.

https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
https://nextjs.org/blog/CVE-2025-66478

^lolwut

https://access.redhat.com/security/cve/CVE-2025-57850

This issue stems from the /etc/passwd file being created with group-writable permissions during build time.

🚨 CVE-2025-13486: CRITICAL RCE in Advanced Custom Fields: Extended for WordPress (v0.9.0.5–0.9.1.1). Unauthenticated attackers can inject code via prepare_form(). Remove or restrict plugin ASAP—no patch yet! https://radar.offseq.com/threat/cve-2025-13486-cwe-94-improper-control-of-generati-abf63164 #OffSeq #WordPress #RCE #Infosec

Critical WordPress plugin flaw alert — CVE-2025-8489 (King Addons for Elementor) is being widely exploited.

The vulnerability allowed unauthenticated attackers to assign themselves administrator roles, leading to complete site compromise.

Defiant’s telemetry shows nearly 50,000 exploitation attempts.
If you’re managing WordPress infrastructure, verifying plugin versions and reviewing registration logs is strongly recommended.

Source: https://www.securityweek.com/critical-king-addons-vulnerability-exploited-to-hack-wordpress-sites/

💬 What mitigation practices do you use to reduce plugin-related risks?
🔁 Follow for unbiased security updates.

#Infosec #WordPressSecurity #CVE20258489 #ThreatIntel #KingAddons #Elementor #WebSecurity