On December 3, it became known about the coordinated elimination of the critical vulnerability CVE-2025-55182 (CVSSv3 — 10), which was found in React server components (RSC), as well as in a number of derivative projects and frameworks: Next.js, React Router RSC preview, Redwood SDK, Waku, RSC plugins Vite and Parcel. The vulnerability allows any unauthenticated attacker to send a request to a vulnerable server and execute arbitrary code. Considering that tens of millions of websites, including Airbnb and Netflix, are built on React and Next.js, and vulnerable versions of the components were found in approximately 39% of cloud infrastructures, the scale of exploitation could be very serious. Measures to protect your online services must be taken immediately.

A separate CVE-2025-66478 was initially created for the Next.js vulnerability, but it was deemed a duplicate, so the Next.js defect also falls under CVE-2025-55182.

Where and how does the React4Shell vulnerability work?

React is a popular JavaScript library for creating user interfaces for web applications. Thanks to RSC components, which appeared in React 18 in 2020, part of the work of assembling a web page is performed not in the browser, but on the server. The web page code can call React functions that will run on the server, get the execution result from them, and insert it into the web page. This allows some websites to run faster — the browser doesn’t need to load unnecessary code. RSC divides the application into server and client components, where the former can perform server operations (database queries, access to secrets, complex calculations), while the latter remain interactive on the user’s machine.  A special lightweight HTTP-based protocol called Flight is used for fast streaming of serialized information between the client and server.

CVE-2025-55182 lies in the processing of Flight requests, or to be more precis — in the unsafe deserialization of data streams. React Server Components versions 19.0.0, 19.1.0, 19.1.1, 19.2.0, or more specifically the react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack packages, are vulnerable.  Vulnerable versions of Next.js are: 15.0.4, 15.1.8, 15.2.5, 15.3.5, 15.4.7, 15.5.6, 16.0.6.

To exploit the vulnerability, an attacker can send a simple HTTP request to the server, and even before authentication and any checks, this request can initiate the launch of a process on the server with React privileges.

There is no data on the exploitation of CVE-2025-55182 in the wild yet, but experts agree that it is possible and will most likely be large-scale. Wiz claims that its test RCE exploit works with almost 100% reliability. A prototype of the exploit is already available on GitHub, so it will not be difficult for attackers to adopt it and launch mass attacks.

React was originally designed to create client-side code that runs in a browser, and server-side components containing vulnerabilities are relatively new. Many projects built on older versions of React, or projects where React server-side components are disabled, are not affected by this vulnerability.

However, if a project does not use server-side functions, this does not mean that it is protected — RSCs may still be active. Websites and services built on recent versions of React with default settings (for example, an application on Next.js built using create-next-app) will be vulnerable.

Protective measures against exploitation of CVE-2025-55182

Updates. React users should update to the versions 19.0.1, 19.1.2, 19.2.1. Next.js users should update to versions 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7. Detailed instructions for updating the react-server component for React Router, Expo, Redwood SDK, Waku, and other projects are provided in the React blog.

Cloud provider protection. Major providers have released rules for their application-level web filters (WAF) to prevent exploitation of vulnerabilities:

• Akamai (rules for App & API Protector users);
• AWS (AWS WAF rules are included in the standard set but require manual activation);
• Cloudflare (protects all customers, including those on the free plan. Works if traffic to the React application is proxied through Cloudflare WAF. Customers on professional and enterprise plans should verify that the rule is active);
• Google Cloud (Cloud Armor rules for Firebase Hosting and Firebase App Hosting are applied automatically);
• Vercel (rules are applied automatically).

However, all providers emphasize that WAF protection only buys time for scheduled patching, and RSC components still need to be updated on all projects.

Protecting web services on your own servers. The least invasive solution would be to apply detection rules that prevent exploitation to your WAF or firewall. Most vendors have already released the necessary rule sets, but you can also prepare them yourself, for example, based on our list of dangerous POST requests.

If fine-grained analysis and filtering of web traffic is not possible in your environment, identify all servers on which RSC (server function endpoints) are available and significantly restrict access to them. For internal services, you can block requests from all untrusted IP ranges; for public services, you can strengthen IP reputation filtering and rate limiting.

An additional layer of protection will be provided by an EPP/EDR agent on servers with RSC. It will help detect anomalies in react-server behavior after the vulnerability has been exploited and prevent the attack from developing.

In-depth investigation. Although information about the exploitation of the vulnerability in the wild has not been confirmed yet, it cannot be ruled out that it is already happening. It is recommended to study the logs of network traffic and cloud environments, and if suspicious requests are detected, to carry out a full response, including the rotation of keys and other secrets available on the server.  Signs of post-exploitation activity to look for first: reconnaissance of the server environment, search for secrets (.env, CI/CD tokens, etc.), installation of web shells.

Kaspersky official blog – ​Read More

Welcome to this week’s edition of the Threat Source newsletter. 

“They say that a person’s personality is the sum of their experiences. But that isn’t true, at least not entirely, because if our past was all that defined us, we’d never be able to put up with ourselves. We need to be allowed to convince ourselves that we’re more than the mistakes we made yesterday. That we are all of our next choices, too, all of our tomorrows.” ― Fredrik Backman 

It’s December, so ‘tis the season to enjoy the onslaught that is a reflection of your year. Here there be tygers… and Spotify Wrapped,  Goodreads Year in Books, Duolingo Year in Review, and… and…  

This is the perfect opportunity to reflect on the defining moments of your career in information security. I can predict, without fail, your defining moment. No matter the length of that career and no matter the breadth and depth of your knowledge, I can assure you that the defining moment is not when you flexed your expertise, but rather when you made the most impactful mistake you can make in your given role at the time. 

Ask any practitioner for a success story and it’s a struggle — partially because they aren’t that memorable and partially because it stokes the imposter syndrome fire to five-alarm bonfire levels. Ask the same practitioner for examples of huge mistakes or failures and get ready for never-ending stories. The best part about that is that not only are those stories wildly entertaining, they are also incredibly instructive. Not only have I learned the most in my career BY FAR from my mistakes, but I’ve learned a lot from the mistakes of my peers and friends. They just seem to make them less often, which is really infuriating (and there goes my imposter syndrome). 

So, take a second to look back on the biggest mistakes in 2025 and in your career. Go on, open your Notes app (after finishing this fantastic newsletter, of course). Then pull up a stump, take some time in one of the big team get-togethers that are so common during this time of year, and share. You’ll entertain, you’ll teach, you’ll connect, and you’ll learn from your peers who will jump in to share the bizarre and hilarious missteps that led them to their current job. 

“I’ve missed more than 9,000 shots in my career. I’ve lost almost 300 games. 26 times I’ve been trusted to take the game winning shot and missed. I’ve failed over and over and over again in my life. And that is why I succeed.” — Michael Jordan 

The one big thing

Cisco Talos released a blog exploring how generative AI (GenAI) is changing cybersecurity for both attackers and defenders. Adversaries are using GenAI for coding, phishing, evasion, and vulnerability discovery, especially as uncensored models become more widely available. While GenAI’s direct role in malware is still limited, its use in social engineering and vulnerability hunting is quickly growing. For defenders, GenAI provides powerful tools to process large amounts of threat data, respond to incidents faster, and proactively find code vulnerabilities. 

Why do I care?

GenAI is lowering the barrier for adversaries to launch sophisticated attacks and discover new vulnerabilities, making threats more dynamic and harder to predict. At the same time, defenders who harness GenAI effectively can level the playing field. GenAI can help defenders overcome issues created by analyst shortages and overwhelming data volumes, gaining the edge in detection and response. 

So now what?

Now’s the time for security teams to start experimenting with GenAI in their daily work — think threat detection, incident response, and reviewing code for vulnerabilities. It’s also important to get comfortable with these tools and train teams so everyone knows how to use them wisely. As GenAI keeps evolving, staying flexible and combining smart automation with human expertise will be key to staying secure.

Top security headlines of the week 

Police disrupt “Cryptomixer,” seize millions in crypto 
Multiple European law enforcement agencies recently disrupted Cryptomixer, a service allegedly used by cybercriminals to launder ill-gotten gains from ransomware and other cyber activities. (Dark Reading) 

Malicious Rust crate delivers OS-specific malware to Web3 developer systems 
Researchers have discovered a malicious Rust package that features malicious functionality to stealthily execute on developer machines by masquerading as an Ethereum Virtual Machine (EVM) unit helper tool. (The Hacker News) 

Chrome, Edge extensions caught tracking users, creating backdoors 
A threat actor published over one hundred extensions, which were seen profiling users, reading cookie data to create unique identifiers, and executing payloads with browser API access. (SecurityWeek) 

CISA warns of ScadaBR vulnerability after hacktivist ICS attack 
CISA has expanded its Known Exploited Vulnerabilities (KEV) catalog with an old “OpenPLC ScadaBR” flaw that was recently leveraged by hackers to deface a honeypot they believed to be an industrial control system (ICS). (SecurityWeek) 

New legislation targets scammers that use AI to deceive 
Following a rash of AI-assisted impersonations of U.S. officials, the bill would raise the financial and criminal penalties around using the technology to defraud. (CyberScoop)

Can’t get enough Talos? 

Ranksgiving Returns: The Appetizer Uprising
Guess who’s back? Hazel, Bill and Joe welcome back fresh-from-parental-leave Dave Liebenberg, who has returned with a new baby and some truly chaotic Thanksgiving opinions.

Cisco Talos Incident Response: Threat Hunting at GovWare 2025 
Yuri Kramarz goes behind the scenes of the Security Operations Centre (SOC) at the GovWare Conference and Exhibition in Singapore, which Talos IR supported for the first time this year.

Talos Takes: When you’re told “no budget” 
From configuring what you already have, to open-source strategies, to the impact of cybersecurity layoffs, this episode is packed with practical guidance for securing your organization during an economic downturn.

Upcoming events where you can find Talos 

• AVAR (Dec. 3 – 5) Kuala Lumpur, Malaysia 
• Black Hat Europe (Dec. 8 – 11) London, U.K. 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59  
Example Filename: ck8yh2og.dll  
Detection Name: Auto.90B145.282358.in02 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe_1_Exe.exe  
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
MD5: aac3165ece2959f39ff98334618d10d9  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
Example Filename: ~6325.tmp 
Detection Name: W32.Injector:Gen.21ie.1201 

SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe  
MD5: bf9672ec85283fdf002d83662f0b08b7 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe  
Example Filename: g77wokon.html  
Detection Name: W32.C0AD494457-95.SBX.TG 

SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610  
MD5: 85bbddc502f7b10871621fd460243fbc  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610  
Example Filename: 85bbddc502f7b10871621fd460243fbc.exe  
Detection Name: W32.41F14D86BC-100.SBX.TG 

Cisco Talos Blog – ​Read More