All news with #remote code execution tag

🔒 A critical XML External Entity (XXE) vulnerability, tracked as CVE-2025-66516, has been disclosed in Apache Tika and carries a CVSS score of 10.0. The flaw allows XXE via a crafted XFA file inside PDFs and affects tika-core, tika-parser-pdf-module, and tika-parsers across multiple versions. Users are strongly advised to upgrade to the patched releases immediately to mitigate file disclosure and potential remote code execution.

⚠️React.js and Next.js servers are vulnerable to a critical remote code execution flaw dubbed React2Shell (CVE-2025-55182), disclosed to Meta on 29 November 2025. The bug targets server-side React Server Function endpoints and default Next.js App Router setups, enabling unauthenticated attackers to execute arbitrary code with a single HTTP request. Researchers report near‑100% exploitability in default configurations and published proof‑of‑concepts; security teams should upgrade affected packages to the fixed versions immediately and verify PoC sources before testing.

⚠️ Within hours of public disclosure, two China-linked groups began exploiting the newly disclosed CVE-2025-55182 (React2Shell) remote code execution flaw in React Server Components. AWS telemetry from MadPot honeypots attributes activity to Earth Lamia and Jackpot Panda, showing attempts to run discovery commands such as "whoami", write files like "/tmp/pwned.txt", and read sensitive files such as "/etc/passwd". Vendors addressed the bug in React 19.0.1, 19.1.2, and 19.2.1, but attackers are concurrently scanning for other N-day flaws.

🔧 Cloudflare says an emergency patch to mitigate the critical React2Shell vulnerability (CVE-2025-55182) introduced a change to its Web Application Firewall request parsing that briefly rendered the network unavailable and caused global "500 Internal Server Error" responses. The update targeted active remote code execution attempts against React Server Components and dependent frameworks. Cloudflare emphasized the incident was not an attack and that the change was deployed to protect customers while the industry addresses the flaw.

⚠️ CISA added CVE-2025-55182, a remote code execution vulnerability in Meta React Server Components, to the Known Exploited Vulnerabilities (KEV) Catalog after observing active exploitation. This type of RCE is a common and serious attack vector that poses significant risk to federal networks and other organizations. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by their due dates. CISA strongly urges all organizations to prioritize timely remediation and vulnerability management to reduce exposure.

⚠️React2Shell is a max-severity insecure deserialization vulnerability in the React Server Components 'Flight' protocol that allows unauthenticated remote execution of JavaScript on affected servers. Within hours of disclosure, AWS telemetry observed exploitation attempts by China-linked groups including Earth Lamia and Jackpot Panda, and multiple proof-of-concept exploits have been published. React and Next.js have released patches; administrators should apply updates, scan for vulnerable deployments, and monitor for known exploitation indicators.

🛡️ Cloudflare briefly disrupted service after a Web Application Firewall update intended to mitigate a vulnerability in React Server Components (CVE-2025-55182) caused its request parser to fail. The incident began at 09:09 UTC and a corrective change was deployed within ten minutes, but monitoring sites and customers reported widespread errors during the outage. Downdetector logged spikes for enterprise and consumer services including Shopify, Zoom, Claude AI, and AWS. Cloudflare said the change was a protective measure for unpatched customers and confirmed the disruption was not an attack.

🛡️ Amazon observed multiple China state-nexus groups rapidly exploiting CVE-2025-55182 (React2Shell), a critical unsafe deserialization flaw in React Server Components with a CVSS score of 10.0 that affects React 19.x and Next.js 15.x/16.x when using App Router. AWS deployed Sonaris active defense, AWS WAF managed rules (AWSManagedRulesKnownBadInputsRuleSet v1.24+) and MadPot honeypots to detect and block attempts, but these protections are not substitutes for patching. Customers running self-managed React/Next.js applications must update immediately, deploy interim WAF rules, and review logs for indicators such as POST requests with next-action or rsc-action-id headers.

🛡️ A critical remote code execution flaw, CVE-2025-55182 (React4Shell), was disclosed affecting React Server Components and multiple derivatives including Next.js, React Router RSC preview, and several bundler plugins. The bug arises from unsafe deserialization of Flight protocol payloads and permits unauthenticated HTTP requests to execute code on vulnerable servers. Immediate updating to the patched React and Next.js releases, plus deployment of WAF rules and access restrictions, is strongly recommended.

🚨 React and Next.js applications are affected by a maximum-severity deserialization vulnerability dubbed React2Shell, which enables unauthenticated remote code execution via the React Server Components (RSC) "Flight" protocol. Discovered by researcher Lachlan Davidson and reported on November 29, the flaw received a 10/10 severity rating and has been assigned CVE-2025-55182 for React (Next.js received CVE-2025-66478, later rejected by the NVD). Affected default packages include react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack, and researchers warn many deployments are exploitable without additional misconfiguration. Developers should apply the published patches and audit environments immediately.

⚠️ Developers must immediately upgrade React 19 and affected frameworks such as Next.js after researchers at Wiz disclosed a critical deserialization vulnerability in the React Server Components (RSC) Flight protocol that can enable remote code execution. The flaw exists in default configurations and impacts React 19.0.0, 19.1.0, 19.1.1 and 19.2.0, while Next.js 15.x and 16.x App Router deployments received a related CVE. Upgrade to the latest vendor-recommended releases now and follow the React blog's guidance.

⚠️Researchers from CheckPoint disclosed a critical remote code execution vulnerability in OpenAI's Codex CLI that allowed project-local .env files to redirect the CODEX_HOME environment variable and load attacker-controlled MCP servers. By adding a malicious mcp_servers entry in a repo-local .codex/config.toml, an attacker with commit or PR access could cause Codex to execute commands silently whenever a developer runs the tool. OpenAI addressed the issue in Codex CLI v0.23.0 by blocking project-local redirection of CODEX_HOME, but the flaw demonstrates how automated LLM-powered developer tools can expand the attack surface and enable persistent supply-chain backdoors.

🔒 Meta and Vercel disclosed a critical remote code execution vulnerability in React Server Components (CVE-2025-55182) that also affected some Next.js releases. Google Cloud rolled out a preconfigured Cloud Armor WAF rule (cve-canary), is enforcing protections for Firebase Hosting, and recommends testing the rule in preview while enabling ALB request logging to consume telemetry. Customers should promptly update dependencies to React 19.2.1 and the patched Next.js releases and redeploy services to remove the vulnerability.

🚨 A maximum-severity remote code execution vulnerability in React Server Components (CVE-2025-55182, CVSS 10.0) allows unauthenticated attackers to execute arbitrary JavaScript by sending crafted payloads to Server Function endpoints. Affected npm packages include react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack in specific 19.x releases; fixes are available in 19.0.1, 19.1.2, and 19.2.1. The issue also impacts Next.js (CVE-2025-66478, CVSS 10.0) across multiple releases and has been patched in a series of 15.x and 16.x updates. Security firm Wiz reports roughly 39% of cloud environments host vulnerable instances; apply patches immediately.

🔒 Microsoft has quietly fixed CVE-2025-9491, a Windows Shortcut (.LNK) UI misinterpretation flaw that enabled remote code execution and has been abused since 2017 by multiple state-affiliated and criminal groups. The change, deployed in November 2025, forces the Properties dialog to display the full Target command string regardless of length, removing the truncation that hid malicious arguments. Vendors including 0patch and ACROS Security noted alternative mitigations — a UI change by Microsoft and a warning-based micropatch — that together reduce user exposure.

🔒 Microsoft has quietly mitigated a high-severity Windows LNK vulnerability tracked as CVE-2025-9491, which attackers used to hide malicious command-line arguments inside .lnk files. The flaw relied on padding the Target field so Windows previously masked arguments beyond 260 characters, enabling persistence and malware delivery. Microsoft’s November update now shows the full Target string in Properties but does not remove malicious arguments or warn users. An unofficial 0Patch micropatch limits target strings and warns on unusually long values.

🛡️ Cloudflare has deployed new WAF protections to mitigate a high‑severity RCE in React Server Components (CVE-2025-55182). All customers whose React traffic is proxied through the Cloudflare WAF are automatically protected — the rules are included in both the Free Managed Ruleset and the standard Managed Ruleset and default to Block. Rule IDs: Managed Ruleset 33aa8a8a948b48b28d40450c5fb92fba and Free Ruleset 2b5d06e34a814a889bee9a0699702280; Cloudflare Workers are immune. Customers on paid plans should verify Managed Rules are enabled and update to React 19.2.1 and the recommended Next.js releases (16.0.7, 15.5.7, 15.4.8).

⚠️ Industrial Video & Control Longwatch versions 6.309–6.334 contain a code injection vulnerability that allows unauthenticated HTTP GET requests to execute arbitrary code, resulting in SYSTEM-level remote code execution. CISA assigns high severity (CVSS v4 9.3; CVSS v3.1 9.8) and recommends upgrading to version 6.335 or later. Reduce network exposure, isolate control networks behind firewalls, and use secure remote access methods while applying the vendor patch.

⚠️ Mirion Medical's EC2 Software NMIS BioDose versions prior to 23.0 contain multiple high-severity vulnerabilities (CVSS v4: 8.7) that are remotely exploitable and can enable code execution, data disclosure, and unauthorized access. The issues include incorrect permission assignment, client-side authentication, and hard-coded credentials affecting installed executables, the embedded SQL Server, and database accounts. Mirion recommends updating to v23.0 or later; CISA advises isolating control networks, minimizing exposure, and using secure remote access while performing impact analysis.

⚠️ Google’s AI-assisted coding tool Antigravity, launched in early November, has a critical vulnerability discovered by researchers at Mindgard within 24 hours that can install a persistent backdoor and execute malicious code each time the application starts. The flaw arises because the assistant follows custom user rules unconditionally and gives excessive weight to rules embedded in project source, while a global configuration directory can hold files specifying arbitrary commands that are read and acted on at startup. Mindgard also identified two additional vulnerabilities that could expose user data, and no patch is yet available.