offseq (@offseq@infosec.exchange)
🚨 CRITICAL: React & Next.js RSC bugs enable unauthenticated RCE on public servers. No CVE yet, but risk of server takeover is high. Restrict server access, monitor logs, and await patches. Details: https://radar.offseq.com/threat/critical-rsc-bugs-in-react-and-nextjs-allow-unauth-3bcb230e #OffSeq #React #Nextjs #infosec
Show Original Post
timb_machine (@timb_machine@infosec.exchange)
Last one to React is a smelly panda?
https://github.com/ejpir/CVE-2025-55182-poc
Show Original Post
nullagent (@nullagent@partyon.xyz)
There's an epic react server component RCE exploit making the rounds today.
A proof of concept just dropped. Probably wanna patch this rapidly.
https://github.com/ejpir/CVE-2025-55182-poc/tree/main
#React #Javascript #Cybersecurity #breaking
Show Original Post
SocketSecurity (@SocketSecurity@fosstodon.org)
🚨 React disclosed a critical (CVSS 10.0) RCE in React Server Components. If you use RSC (often via frameworks like Next.js), upgrade react-server-dom-* to patched versions ASAP.
Details → https://socket.dev/blog/critical-security-vulnerability-in-react-server-components #NodeJS #React
Show Original Post
habr (@habr@zhub.link)
[Перевод] Критическая уязвимость безопасности в React Server Components
Важное обновление безопасности для React-разработчиков 🛡️ Обнаружена RCE-уязвимость связанная с некорректным декодированием пейлоадов в Server Functions. Это позволяет неаутентифицированным пользователям выполнять код на сервере. Что нужно сделать: Проверьте, используете ли вы React Server Components. Если да (например, в Next.js 15+), выполните обновление пакетов немедленно. Исправления доступны в версиях 19.0.1, 19.1.2 и 19.2.1.
https://habr.com/ru/articles/973050/
Show Original Post
bkoehn (@bkoehn@hachyderm.io)
As vulnerabilities go, a 10 is as bad as it gets. If you use #React or one of its derivatives (e.g., #Nextjs) you should upgrade Right. Now.
https://www.cve.org/CVERecord?id=CVE-2025-55182
Show Original Post
afterdawn (@afterdawn@mementomori.social)
Valtavan suositusta JavaScript-kirjastosta Reactista paljastui täyden kympin haavoittuvuus
Vakavimman riskiluokituksen saanut haavoittuvuus mahdollistaa haittakoodin suorittamisen palvelimella ja siihen riittää pelkkä oikein muotoiltu HTTP-kutsu.
Haavoittuvuus koskee myös NextJS:ää.
https://dawn.fi/uutiset/2025/12/03/react-nextjs-haavoittuvuus
#react #nextjs #haavoittuvuus #tietoturva #uutiset
Show Original Post
coreice (@coreice@infrastruct.social)
Nice little #NextJS #React - specifically React Server Components - vulnerability dropped with CVSS of 10/10.
https://nvd.nist.gov/vuln/detail/CVE-2025-55182
Which kind of duplicates into CVE-2025-66478 as downstream implementation in NextJS for App Router.
Blogposts:
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
https://nextjs.org/blog/CVE-2025-66478
Show Original Post
adulau (@adulau@infosec.exchange)
“A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.“
#vulnerability #react #cybersecurity #cve
https://vulnerability.circl.lu/vuln/CVE-2025-55182
Show Original Post
ocramius (@ocramius@mastodon.social)
NodeJS is having its Neo4J renaissance
Show Original Post
StarkZarn (@StarkZarn@infosec.exchange)
Use javascript for everything, they said... it'll be fine, they said...
https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
https://www.facebook.com/security/advisories/cve-2025-55182
Show Original Post
winbuzzer (@winbuzzer@mastodon.social)
Severe React Server Components Flaw Exposes Millions of Apps and Websites
#Security #Cybersecurity #React #NextJS #RCE #CloudSecurity #Vulnerability #DevOps #WebDev #Meta #Vercel #CVE202555182 #SoftwareEngineering
Show Original Post