GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE
  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 04-Dec-2025 01:25:26 JST Kevin Beaumont Kevin Beaumont

    There is an unauthenticated remote code execution vulnerability in React Server Components.

    Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.

    If your app’s React code does not use a server, your app is not affected by this vulnerability.

    CVE-2025-55182

    Mastodon server not impacted btw.

    https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

    In conversation about 7 months ago from cyberplace.social permalink

    Attachments

    1. Domain not in remote thumbnail source whitelist: react.dev
      Critical Security Vulnerability in React Server Components – React
      from @reactjs
      The library for web and native user interfaces
    • Embed this notice
      Christoffer S. (nopatience@swecyb.com)'s status on Thursday, 04-Dec-2025 04:48:33 JST Christoffer S. Christoffer S.
      in reply to

      @GossiTheDog Worth mentioning that Node.js appears affected 15.x and 16.x.

      https://nextjs.org/blog/CVE-2025-66478

      In conversation about 7 months ago permalink
    • Embed this notice
      Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 04-Dec-2025 04:59:19 JST Kevin Beaumont Kevin Beaumont
      in reply to

      Vulnerability hype train derail time - these vulns only apply to React 19 (released within the past year) and only when using a specific new feature, React Server.

      In conversation about 7 months ago permalink
    • Embed this notice
      Andrew Golding (huronbikes@cyberplace.social)'s status on Thursday, 04-Dec-2025 05:25:41 JST Andrew Golding Andrew Golding
      in reply to

      @GossiTheDog I had to doublecheck our FE at work just to be sure we're not using the affected components. Luckily, while React Router (formerly remix) is affected by this, it is only affected if experimental support for React Server Components is enabled.

      Meanwhile, this does nothing to lessen the general levels of ire I have for the entire JavaScript and friends ecosystem.

      In conversation about 7 months ago permalink
    • Embed this notice
      Cedric (cedric@social.circl.lu)'s status on Thursday, 04-Dec-2025 06:06:33 JST Cedric Cedric
      in reply to

      @GossiTheDog With this many sightings (mostly from Bluesky), there is surely at least a bit of hype: https://vulnerability.circl.lu/vuln/CVE-2025-55182#sightings

      In conversation about 7 months ago permalink

      Attachments

      1. No result found on File_thumbnail lookup.
        cvelistv5 - CVE-2025-55182
        from /humans.txt
        Vulnerability-Lookup - Fast vulnerability lookup correlation from different sources.
    • Embed this notice
      Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 05-Dec-2025 03:18:18 JST Kevin Beaumont Kevin Beaumont
      in reply to

      The React vulns have the usual panicked nonsense going on - people posting fake PoCs (all of them are fake), people spraying fake PoCs over the whole internet, people posting screenshots of fake PoC activity thinking it real, doomsday scenario posts etc etc.

      It’s actually a niche scenario bug for vast majority of orgs, just stay calm and patch if you are actually impacted (spoiler: you probably aren’t).

      In conversation about 7 months ago permalink

      Attachments


      1. https://cyberplace.social/system/media_attachments/files/115/662/663/461/191/874/original/c0bf29e9f40cb6de.jpeg
      Haelwenn /элвэн/ :triskell: repeated this.
    • Embed this notice
      SirBeringer (sirberinger@cyberplace.social)'s status on Friday, 05-Dec-2025 03:58:18 JST SirBeringer SirBeringer
      in reply to

      @GossiTheDog hmmm, normally Maurice doesn’t post BS

      In conversation about 7 months ago permalink
    • Embed this notice
      Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 05-Dec-2025 19:50:33 JST Kevin Beaumont Kevin Beaumont
      in reply to

      We have our first victim of overreacting to the React vuln - the Cloudflare global outage was them taking down their own service to fix an actually very niche vuln.

      In conversation about 7 months ago permalink

      Attachments


      1. https://cyberplace.social/system/media_attachments/files/115/666/563/428/460/582/original/764b701db42422da.jpeg
      Haelwenn /элвэн/ :triskell: likes this.
    • Embed this notice
      evariste.gal🌈is (evaristegal0is@mastodon.social)'s status on Friday, 05-Dec-2025 20:05:36 JST evariste.gal🌈is evariste.gal🌈is
      in reply to

      @GossiTheDog Well, they sell WAF-as-a-Product, so introducing observability to identify CVE-2025-55182 payloads seems a legitimate choice, I don't think it is overreacting in this case

      In conversation about 7 months ago permalink
    • Embed this notice
      Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 05-Dec-2025 20:23:16 JST Kevin Beaumont Kevin Beaumont
      in reply to

      New by me - cybersecurity industry overreacts to React vulnerabilities, sets itself on fire https://doublepulsar.com/cybersecurity-industry-overreacts-to-react-vulnerability-starts-panic-burns-own-house-down-again-e85c10ad1607

      In conversation about 7 months ago permalink

      Attachments


    • Embed this notice
      iced depresso (icedquinn@blob.cat)'s status on Friday, 05-Dec-2025 21:34:05 JST iced depresso iced depresso
      in reply to
      @GossiTheDog is there some reason people keep taking their entire enterprise own instead of like. canary rollouts.

      can we maybe not all be stupid and keep centralizing everything to the point of catastrophic societal failure because someone flubbed a key rotation
      In conversation about 7 months ago permalink
    • Embed this notice
      mschade_ (mschade_@infosec.exchange)'s status on Friday, 05-Dec-2025 22:22:59 JST mschade_ mschade_
      in reply to

      @GossiTheDog did Qualys really use the Fake POC to show that they reconstructed the vulnerability? https://threatprotect.qualys.com/2025/12/04/react-server-components-rsc-remote-code-execution-vulnerabilities/

      In conversation about 7 months ago permalink

      Attachments

      1. Domain not in remote thumbnail source whitelist: threatprotect.qualys.com
        React Server Components (RSC) Remote Code Execution Vulnerabilities – Qualys ThreatPROTECT
    • Embed this notice
      MemoryLeech (cyberleech@cyberplace.social)'s status on Friday, 05-Dec-2025 23:37:34 JST MemoryLeech MemoryLeech
      in reply to

      @GossiTheDog

      Potential exploitation being seen itw, no surprise the miners may be first past the post.

      In conversation about 7 months ago permalink
    • Embed this notice
      fuzzyfuzzyfungus (fuzzyfuzzyfungus@cyberplace.social)'s status on Saturday, 06-Dec-2025 00:03:58 JST fuzzyfuzzyfungus fuzzyfuzzyfungus
      in reply to

      @GossiTheDog There isn't; but there probably should be a level of engineering professionalism and change control where "an actor working within the scope of his authorization broke the system" is more damning than "an attacker broke the system" rather than less.

      In conversation about 7 months ago permalink
    • Embed this notice
      Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 06-Dec-2025 00:55:08 JST Kevin Beaumont Kevin Beaumont
      in reply to

      Really interesting thing happening with the React vuln where lots of the cyber companies reporting exploitation don't appear to realise they're reporting on exploit attempts for GitHub PoCs which aren't actually real - said PoCs just set up a vuln webapp in a way nobody would in real world.

      It's not all the attempts but it's a large portion.

      Me:

      In conversation about 7 months ago permalink

      Attachments


      1. No result found on File_thumbnail lookup.
        http://portion.Me/
    • Embed this notice
      Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 06-Dec-2025 00:56:27 JST Kevin Beaumont Kevin Beaumont
      in reply to

      Similarly attacks are spraying the internet with PoCs where I don't think they realise they don't actually work, largely. Cybersecurity is great, I love it.

      In conversation about 7 months ago permalink

      Attachments


    • Embed this notice
      Scott Leggett :fedi: :golang: (smlx@fosstodon.org)'s status on Monday, 08-Dec-2025 16:17:06 JST Scott Leggett :fedi: :golang: Scott Leggett :fedi: :golang:
      in reply to

      @GossiTheDog The bit I think you might be missing is that Next.js has been vulnerable in every 15.x and 16.x release since January 2025 until last week.

      11 months is not "new" in the JS world. In fact, I'd imagine in the age of dependabot et. al. more Next.js sites would have been vulnerable to this when the vuln dropped than not.

      Yes, React Server Components might be niche. But Next.js absolutely is not.

      In conversation about 7 months ago permalink
    • Embed this notice
      Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 05-Jan-2026 20:09:21 JST Kevin Beaumont Kevin Beaumont
      in reply to

      I keep seeing all the vendor write ups about botnets using that React vuln.. but I’m not sure the vendors understand that botnets integrating something does not equal success.

      The whole thing has been pretty eye opening.

      In conversation about 6 months ago permalink

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.