Notices by Chris Wysopal (weld@infosec.exchange)

🚨 Critical React + Next.js RCE Alert 🚨
New flaws in the React Server Components “Flight” protocol (CVE-2025-55182 & CVE-2025-66478) allow unauthenticated remote code execution on default installations.

Attackers only need one malicious HTTP request to take over a server.

Wiz reports 39% of cloud environments are vulnerable.

If you're running:
• React 19.0–19.2
• Next.js 14.3.0-canary, 15.x, 16.x (App Router)
• Any framework bundling react-server (Redwood, Waku, Vite/Parcel RSC plugins, etc.)

👉 You are likely exposed. Patch immediately.

Updates now available:
React 19.0.1 / 19.1.2 / 19.2.1
Next.js 14.3.0-canary.88 / 15.0.5+ / 16.0.7

Full RCE. Remote. Unauthenticated. Near-100% exploit reliability.

Patch today. Do not wait.

The EU Product Liability Directive will take effect Dec 2026. Software, firmware, applications, AI systems, and will now be subject to the same strict liability regime as traditional physical goods. Cybersecurity vulnerabilities will be considered product defects. Analysis by Reed Smith LLP: https://www.lexology.com/library/detail.aspx?g=bbef1939-2af0-465a-8b8f-c1ff3ebe9118

Palo Alto crosswalk buttons apparently hacked to imitate Musk, Zuckerberg voices saying some wild things. https://www.paloaltoonline.com/technology/2025/04/12/silicon-valley-crosswalk-buttons-apparently-hacked-to-imitate-musk-zuckerberg-voices/

Message security reminder:

Text Messages sent between Apple and Android devices are not end to end encrypted.

Use a secure messaging app. I recommend Signal.

It took massive Chinese telco infiltration but now the US Govt gets it

2015: "We cannot stop what we cannot see," Rep Mike McCaul

2024: "Encryption is your friend, whether it's on text messaging or if you have the capacity to use encrypted voice comms." Jeff Greene, CISA

There is a Tesla #cybertruck at Black Hat MEA but unfortunately you can’t hack it. There is a semi you can hack in the truck hacking area. #cybersecurity

After 18 yrs as Veracode's CTO I have transitioned to Chief Security Evangelist. I'm excited to have more time to engage developers at meetups & conferences. You'll still see me at all the cybersecurity cons. This & the future of AppSec w/Jens Wessling & Alan Shimel: https://techstrong.tv/videos/interviews/the-evolution-of-application-security-integration-with-veracodes-jens-wessling-and-chris-wysopal

It was so great to be part of this amazing panel this year at ⁦@Defcon - Bricked & Abandoned: How To Keep IoT From Becoming An IoTrash. https://securityboulevard.com/2024/11/def-con-32-bricked-abandoned-how-to-keep-iot-from-becoming-an-iotrash/

Breaking: Aliens have finally contacted us, and guess what? They want us to update our antivirus software!

What gets collected gets stolen and resold. Information wants to be freely available for a price. https://cyberscoop.com/23andme-user-data-theft/

"Computer scientists from Stanford University have found that programmers who accept help from AI tools like Github Copilot produce less secure code than those who fly solo."

Looks like there will be a market for AI vuln remediation!

https://www.theregister.com/2022/12/21/ai_assistants_bad_code/

Social media is metastasizing and I am here for it.

I was there for BBSes.
I was there for IRC.
I was there for AOL chat.
I was there for Facebook.
Yeah didn't like Myspace.
I was there for Twitter.
I am here for private Slack
Now I am here for Mastodon.

It's been amazing seeing a whole community that has built up over 10+ years migrate to a new platform. The sentiment I have seen and heard repeated is that people have 1/10th the followers and have more engagement (I know that word). This can only mean goodness.