24h | 7d | 30d

CVE-2025-67779

Overview

  • Meta
  • react-server-dom-parcel
11 Dec 2025
Published
11 Dec 2025
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.04%
KEV

Description

It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

Statistics

  • 5 Posts
  • 1 Interaction
Last activity: Last hour

Fediverse

Profile picture
cR0w h0 h0 @cR0w

Happy patch your React Server Components again Friday to all who celebrate. The patch for CVE-2025-55184 was incomplete and still leaves systems vulnerable to DoS.

facebook.com/security/advisori

It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

  • 0
  • 0
  • 0
  • Last hour
Profile picture
Cybersecurity & cyberwarfare @cybersecurity

React Server: Nuovi bug critici portano a DoS e alla divulgazione del codice sorgente

La saga sulla sicurezza dei componenti di React Server continua questa settimana.

Successivamente alla correzione di una vulnerabilità critica relativa all’esecuzione di codice remoto (RCE) che ha portato a React2shell, sono state individuate dai ricercatori due nuove vulnerabilità. Queste ultime, pur essendo meno gravi delle precedenti, comportano rischi significativi, tra cui la possibilità di attacchi Denial of Service (DoS) che possono causare il crash del server e l’esposizione di codice sorgente sensibile.

Le versioni interessate includono la versione da 19.0.0 a 19.0.2, la versione da 19.1.0 a 19.1.2 e la versione da 19.2.0 a 19.2.2. Si consiglia pertanto agli sviluppatori di aggiornare alle versioni corrette appena rilasciate:

  • 19.0.3
  • 19.1.4
  • 19.2.3

Fondamentalmente, queste vulnerabilità hanno un ampio raggio d’azione.

Basta che l’applicazione sia vulnerabile a certe funzioni del server per essere esposta a potenziali rischi, senza doverle necessariamente utilizzare. “Anche se la tua app non implementa alcun endpoint di React Server Function, potrebbe comunque essere vulnerabile se supporta i React Server Components”, avverteono i ricercatori di sicurezza.

Il problema più urgente, ha una severity CVSS di 7.5, e riguarda una vulnerabilità che può mettere in ginocchio un server. Identificata come CVE-2025-55184 e CVE-2025-67779, questa falla consente a un aggressore di innescare un loop infinito sul server inviando una specifica richiesta HTTP dannosa. Secondo l’avviso, il loop consuma la CPU del server, bloccandone di fatto le risorse.

La seconda vulnerabilità, il CVE-2025-55183 ha una severity CVSS 5.3, è un problema di gravità media che colpisce la riservatezza del codice dell’applicazione. E’ stato rilevato che in specifiche circostanze, una richiesta nociva è in grado di convincere una funzione del server a fornire all’attaccante il proprio codice sorgente. Secondo quanto riportato nell’avviso, un esperto di sicurezza ha riscontrato che l’invio di una richiesta HTTP dannosa a una funzione del server suscettibile di vulnerabilità potrebbe comportare la restituzione non sicura del codice sorgente di qualsiasi funzione del server.

Per eseguire l’attacco, è necessario un particolare modello di codifica, nel quale una funzione lato server esplicitamente o implicitamente espone un parametro come stringa. Qualora venisse sfruttata, potrebbe portare alla scoperta di informazioni cruciali a livello logico o di chiavi del database internamente allegate al codice della funzione.

Il team di React ha confermato esplicitamente che questi nuovi bug non riapriranno la porta al controllo totale del server. “Queste nuove vulnerabilità non consentono l’esecuzione di codice remoto. La patch per React2Shell rimane efficace nel mitigare l’exploit di esecuzione di codice remoto”.

Il team esorta a procedere con urgenza all’aggiornamento, dato che le vulnerabilità scoperte di recente sono di notevole gravità.

L'articolo React Server: Nuovi bug critici portano a DoS e alla divulgazione del codice sorgente proviene da Red Hot Cyber.

  • 0
  • 0
  • 0
  • 7h ago
Profile picture
Tim Severien @timsev

Remote server execution, denial of service vulnerability, and source code leak, whoever works on React Server Components isn't having a great time.

If you haven't already: upgrade asap.

cve.org/CVERecord?id=CVE-2025-
cve.org/CVERecord?id=CVE-2025-
cve.org/CVERecord?id=CVE-2025-

  • 0
  • 0
  • 0
  • 2h ago

Bluesky

Profile picture
Cyber Kendra @cyberkendra.com
🚨 BREAKING: React drops new security patches for CVE-2025-55183 & CVE-2025-67779 Two new vulnerabilities discovered: ✅ DoS (CVSS 7.5) - can crash your servers ✅ Source code exposure (CVSS 5.3) - leaks business logic Read Details - www.cyberkendra.com/2025/12/reac... #React2shell
  • 0
  • 1
  • 0
  • 11h ago
Profile picture
Peter @peterrobards.bsky.social
Two new React Server Components vulnerabilities have been discovered: - Denial of Service (High): CVE-2025-55184 -> CVE-2025-67779 - Source Code Exposure (Medium): CVE-2025-55183 If you previously updated to 19.0.2, 19.1.3, or 19.2.2, those patches were incomplete & you will need to update again!
  • 0
  • 0
  • 0
  • 9h ago

CVE-2025-66478

Overview

  • Pending
Pending
Published
03 Dec 2025
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

This CVE is a duplicate of CVE-2025-55182.

Statistics

  • 4 Posts
  • 6 Interactions
Last activity: 5 hours ago

Bluesky

Profile picture
OpsMatters @opsmatters.com
The latest update for #Veracode includes "Threat Research Year In Review – 2025" and "Decoding CVE-2025-66478: Signal vs. Noise in #SCA". #cybersecurity #softwaresecurity #AppSec #DevSecOps https://opsmtrs.com/3eO6tf7
  • 0
  • 0
  • 0
  • 12h ago
Profile picture
InfoSecSherpa @infosecsherpa.bsky.social
This looks important - ⚠️ CVE Update: CVE-2025-66478 is officially a duplicate of CVE-2025-55182. Same root cause: Both stem from same vulnerability. Not a false positive: Detections for 66478 remain valid. Canonical ID: Use CVE-2025-55182 moving forward. Read here: api.cyfluencer.com/s/react2shel...
  • 0
  • 6
  • 1
  • 5h ago
Profile picture
OpsMatters @opsmatters.com
The latest update for #Wallarm includes "2026 #API and #AI Security Predictions: What Experts Expect in the Year Ahead" and "Update on React Server Components RCE Vulnerability (CVE-2025-55182 / CVE-2025-66478)". #cybersecurity #APISecurity #AppSec https://opsmtrs.com/453oM6P
  • 0
  • 0
  • 0
  • 14h ago

CVE-2025-14512

Overview

  • Red Hat
  • Red Hat Enterprise Linux 10
  • glib2
11 Dec 2025
Published
11 Dec 2025
Updated
CVSS
Pending
EPSS
0.03%
KEV

Description

A flaw was found in glib. This vulnerability allows a heap buffer overflow and denial-of-service (DoS) via an integer overflow in GLib's GIO (GLib Input/Output) escape_byte_string() function when processing malicious file or remote filesystem attribute values.

Statistics

  • 1 Post
  • 5 Interactions
Last activity: 21 hours ago

Fediverse

Profile picture
cR0w h0 h0 @cR0w

BoF in glib.

access.redhat.com/security/cve

A flaw was found in glib. This vulnerability allows a heap buffer overflow and denial-of-service (DoS) via an integer overflow in GLib's GIO (GLib Input/Output) escape_byte_string() function when processing malicious file or remote filesystem attribute values.

  • 3
  • 2
  • 0
  • 21h ago

CVE-2025-14526

Overview

  • Tenda
  • CH22
11 Dec 2025
Published
11 Dec 2025
Updated
CVSS v4.0
HIGH (8.7)
EPSS
0.09%
KEV

Description

A security flaw has been discovered in Tenda CH22 1.0.0.1. This affects the function frmL7ImForm of the file /goform/L7Im. Performing manipulation of the argument page results in buffer overflow. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited.

Statistics

  • 1 Post
  • 10 Interactions
Last activity: 21 hours ago

Fediverse

Profile picture
cR0w h0 h0 @cR0w

Tenda

cve.org/CVERecord?id=CVE-2025-

cc: @Dio9sys @da_667

  • 2
  • 8
  • 0
  • 21h ago

CVE-2025-66429

Overview

  • Pending
11 Dec 2025
Published
11 Dec 2025
Updated
CVSS
Pending
EPSS
0.07%
KEV

Description

An issue was discovered in cPanel 110 through 132. A directory traversal vulnerability within the Team Manager API allows for overwrite of an arbitrary file. This can allow for privilege escalation to the root user.

Statistics

  • 1 Post
  • 2 Interactions
Last activity: 17 hours ago

Fediverse

Profile picture
cR0w h0 h0 @cR0w

Post-auth ../ in cPanel.

cve.org/CVERecord?id=CVE-2025-

  • 1
  • 1
  • 0
  • 17h ago

CVE-2025-9478

Overview

  • Google
  • Chrome
26 Aug 2025
Published
28 Aug 2025
Updated
CVSS
Pending
EPSS
0.10%
KEV

Description

Use after free in ANGLE in Google Chrome prior to 139.0.7258.154 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 6 hours ago

Fediverse

Profile picture
:awesome:🐦‍🔥nemo™🐦‍⬛ 🇺🇦🍉 @nemo

Google seals critical Chrome flaw (CVE-2025-9478) under attack: "use-after-free" bug in WebGL lets hackers run code via rigged pages. Update to v139.0.7258.154+ NOW! 🔒💻 heise.de/en/news/Chrome-update #ChromeUpdate #CyberSecurity
#Newz

  • 1
  • 0
  • 0
  • 6h ago

CVE-2025-14528

Overview

  • D-Link
  • DIR-803
11 Dec 2025
Published
11 Dec 2025
Updated
CVSS v4.0
MEDIUM (6.9)
EPSS
0.04%
KEV

Description

A vulnerability was detected in D-Link DIR-803 up to 1.04. Impacted is an unknown function of the file /getcfg.php of the component Configuration Handler. The manipulation of the argument AUTHORIZED_GROUP results in information disclosure. The attack may be performed from remote. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 20 hours ago

Fediverse

Profile picture
cR0w h0 h0 @cR0w

D-Link

cve.org/CVERecord?id=CVE-2025-

cc: @Dio9sys @da_667

  • 0
  • 1
  • 0
  • 20h ago

CVE-2025-66456

Overview

  • elysiajs
  • elysia
09 Dec 2025
Published
09 Dec 2025
Updated
CVSS v4.0
CRITICAL (9.1)
EPSS
0.05%
KEV

Description

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.0 through 1.4.16 contain a prototype pollution vulnerability in `mergeDeep` after merging results of two standard schema validations with the same key. Due to the ordering of merging, there must be an any type that is set as a standalone guard, to allow for the `__proto__ prop` to be merged. When combined with GHSA-8vch-m3f4-q8jf this allows for a full RCE by an attacker. This issue is fixed in version 1.4.17. To workaround, remove the `__proto__ key` from body.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 22 hours ago

Bluesky

Profile picture
Checkmarx Zero @checkmarxzero.bsky.social
‼️ A critical issue has landed for anyone building with Elysia.js. CVE-2025-66456 allows attackers to achieve remote code execution through a prototype-pollution pathway in certain schema-validation flows. buff.ly/RCQHiLI #ElysiaJS #CVE202566456 #RCE #AppSec #NodeSecurity #TypeScript 🧵1/5
  • 0
  • 1
  • 0
  • 22h ago

CVE-2024-51324

Overview

  • Pending
11 Feb 2025
Published
12 Feb 2025
Updated
CVSS
Pending
EPSS
0.03%
KEV

Description

An issue in the BdApiUtil driver of Baidu Antivirus v5.2.3.116083 allows attackers to terminate arbitrary process via executing a BYOVD (Bring Your Own Vulnerable Driver) attack.

Statistics

  • 1 Post
Last activity: 1 hour ago

Fediverse

Profile picture
ekiledjian @edwardk

New BYOVD loader behind DeadLock ransomware attack
blog.talosintelligence.com/byo

While tracking ransomware activities, Cisco Talos uncovered new tactics,
techniques, and procedures (TTPs) linked to a financially motivated threat
actor targeting victims with DeadLock ransomware.

The actor used the Bring Your Own Vulnerable Driver (BYOVD) technique with a
previously unknown loader to exploit the Baidu Antivirus driver vulnerability
(CVE-2024-51324), enabling the termination of endpoint detection and response
(EDR) processes.

The actor ran a PowerShell script that bypasses User Account Control (UAC),
disables Windows Defender, terminates various security, backup, and database
services, and deletes all volume shadow copies to prevent system recovery.

This custom encryption method allows DeadLock ransomware to effectively
encrypt different file types in enterprise environments while preventing
system corruption through selective targeting and anti-forensics techniques,
which complicate recovery.

  • 0
  • 0
  • 0
  • 1h ago

CVE-2025-67731

Overview

  • Aarondoran
  • servify-express
12 Dec 2025
Published
12 Dec 2025
Updated
CVSS v4.0
HIGH (8.7)
EPSS
0.05%
KEV

Description

Servify Express is a Node.js package to start an Express server and log the port it's running on. Prior to 1.2, the Express server used express.json() without a size limit, which could allow attackers to send extremely large request bodies. This can cause excessive memory usage, degraded performance, or process crashes, resulting in a Denial of Service (DoS). Any application using the JSON parser without limits and exposed to untrusted clients is affected. The issue is not a flaw in Express itself, but in configuration. This issue is fixed in version 1.2. To work around, consider adding a limit option to the JSON parser, rate limiting at the application or reverse-proxy level, rejecting unusually large requests before parsing, or using a reverse proxy (such as NGINX) to enforce maximum request body sizes.

Statistics

  • 1 Post
Last activity: 5 hours ago

Fediverse

Profile picture
Offensive Sequence @offseq

🚨 CVE-2025-67731 (HIGH, CVSS 8.7): Aarondoran servify-express <1.2 lets attackers send huge JSON bodies, causing DoS. Fix: upgrade to 1.2+, set parser size limits, or use reverse proxy controls. Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 5h ago
Showing 11 to 20 of 79 CVEs