Overview
- Meta
- react-server-dom-webpack
Description
Statistics
- 22 Posts
- 270 Interactions
Fediverse
There is an unauthenticated remote code execution vulnerability in React Server Components.
Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.
If your app’s React code does not use a server, your app is not affected by this vulnerability.
CVE-2025-55182
Mastodon server not impacted btw.
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
RCE in React Server Components, impacting React and Next.js. I usually don't say this, but patch right freakin' now. The React CVE listing (CVE-2025-55182) is a perfect 10.
https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
https://nextjs.org/blog/CVE-2025-66478
Oh Hell yeah. Perfect 10 in React Server Components. 🥳
https://www.facebook.com/security/advisories/cve-2025-55182
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
"We did a number of refactors [...] This also fixes a critical security vulnerability." 👀
CVE-2025-55182, an RCE in React Server Components just landed:
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
Enjoy your patching, and make sure to check your bundled frameworks and dependencies.
Here's the commit:
https://github.com/facebook/react/commit/7dc903cd29dac55efb4424853fd0442fef3a8700
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
CVE-2025-55182 CVSS 10.0
For interested folks, here’s the React PR that fixes CVE-2025-55182 affecting React Server Components (CVSS 10.0 Critical Severity): https://github.com/facebook/react/pull/35277
Blog post: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
> Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.
Cloudflare offers protection against a new high profile vulnerability for React Server Components: CVE-2025-55182. All customers with WAF enabled are automatically protected. https://blog.cloudflare.com/waf-rules-react-vulnerability/
@Weld I see this blog post from them: https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
Do you use react? If so, you might want to update. See https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
Bluesky
Description
Statistics
- 8 Posts
Fediverse
CISA has added two vulnerabilities to the KEV Catalog:
CVE-2025-48633: Android Framework Information Disclosure Vulnerability
CVE-2025-48572: Android Framework Privilege Escalation Vulnerability
CISA has added two Android Framework 0-days (CVE-2025-48572 & CVE-2025-48633) to the KEV list, confirming active exploitation.
Together, they enable privilege escalation and information disclosure, forming a potentially complete compromise path for targeted devices.
Federal agencies have a December 23 patch deadline, and wider organizations are encouraged to roll out updates and monitor for related indicators.
💬 Mobile ecosystems remain a critical attack surface - what best practices have worked for your teams?
Source: https://cybersecuritynews.com/android-0-day-vulnerability-exploited/
Follow us for ongoing vulnerability and threat intelligence updates.
#Cybersecurity #AndroidSecurity #KEV #CISA #ZeroDay #MobileThreats #ThreatIntel #Infosec #SecurityUpdates #DeviceSecurity
Bluesky
Description
Statistics
- 8 Posts
Fediverse
CISA has added two vulnerabilities to the KEV Catalog:
CVE-2025-48633: Android Framework Information Disclosure Vulnerability
CVE-2025-48572: Android Framework Privilege Escalation Vulnerability
CISA has added two Android Framework 0-days (CVE-2025-48572 & CVE-2025-48633) to the KEV list, confirming active exploitation.
Together, they enable privilege escalation and information disclosure, forming a potentially complete compromise path for targeted devices.
Federal agencies have a December 23 patch deadline, and wider organizations are encouraged to roll out updates and monitor for related indicators.
💬 Mobile ecosystems remain a critical attack surface - what best practices have worked for your teams?
Source: https://cybersecuritynews.com/android-0-day-vulnerability-exploited/
Follow us for ongoing vulnerability and threat intelligence updates.
#Cybersecurity #AndroidSecurity #KEV #CISA #ZeroDay #MobileThreats #ThreatIntel #Infosec #SecurityUpdates #DeviceSecurity
Bluesky
Overview
- Industrial Video & Control
- Longwatch
Description
Statistics
- 2 Posts
- 15 Interactions
Fediverse
Always look at the credits in CVE records, they’re full of insightful details.
I particularly enjoyed this one. By the way, in Vulnerability Lookup we also have a nice display of the actual credits: finder, coordinator, and so on.
🔗 https://vulnerability.circl.lu/vuln/cve-2025-13658
"A vulnerability in Longwatch devices allows unauthenticated HTTP GET requests to execute arbitrary code via an exposed endpoint, due to the absence of code signing and execution controls. Exploitation results in SYSTEM-level privileges.
"
⚠️ CRITICAL: CVE-2025-13658 hits Industrial Video & Control Longwatch v6.309 — remote unauthenticated code execution via HTTP GET grants SYSTEM privileges. No patch yet. Segment, restrict access, monitor traffic. Full advisory: https://radar.offseq.com/threat/cve-2025-13658-cwe-94-improper-control-of-generati-128a847f #OffSeq #OTSecurity #CVE2025
Overview
Description
Statistics
- 2 Posts
- 36 Interactions
Fediverse
RCE in React Server Components, impacting React and Next.js. I usually don't say this, but patch right freakin' now. The React CVE listing (CVE-2025-55182) is a perfect 10.
https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
https://nextjs.org/blog/CVE-2025-66478
Overview
- Microsoft
- Windows
Description
Statistics
- 2 Posts
- 3 Interactions
Bluesky
Overview
- Red Hat
- Red Hat OpenShift Dev Spaces
- devspaces/code-rhel9
Description
Statistics
- 1 Post
- 28 Interactions
Fediverse
lolwut
https://access.redhat.com/security/cve/CVE-2025-57850
This issue stems from the
/etc/passwdfile being created with group-writable permissions during build time.
Overview
- hwk-fr
- Advanced Custom Fields: Extended
Description
Statistics
- 2 Posts
- 1 Interaction
Fediverse
🚨 CVE-2025-13486: CRITICAL RCE in Advanced Custom Fields: Extended for WordPress (v0.9.0.5–0.9.1.1). Unauthenticated attackers can inject code via prepare_form(). Remove or restrict plugin ASAP—no patch yet! https://radar.offseq.com/threat/cve-2025-13486-cwe-94-improper-control-of-generati-abf63164 #OffSeq #WordPress #RCE #Infosec
Overview
- kingaddons
- King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor
Description
Statistics
- 2 Posts
Fediverse
Critical WordPress plugin flaw alert — CVE-2025-8489 (King Addons for Elementor) is being widely exploited.
The vulnerability allowed unauthenticated attackers to assign themselves administrator roles, leading to complete site compromise.
Defiant’s telemetry shows nearly 50,000 exploitation attempts.
If you’re managing WordPress infrastructure, verifying plugin versions and reviewing registration logs is strongly recommended.
Source: https://www.securityweek.com/critical-king-addons-vulnerability-exploited-to-hack-wordpress-sites/
💬 What mitigation practices do you use to reduce plugin-related risks?
🔁 Follow for unbiased security updates.
#Infosec #WordPressSecurity #CVE20258489 #ThreatIntel #KingAddons #Elementor #WebSecurity
Overview
Description
Statistics
- 2 Posts