Best of Vulnerability2025

  1. 1
    Article
    Avatar of collectionsCollections·19w

    Critical Vulnerability in React Server Components: Immediate Action Required

    React2Shell (CVE-2025-55182) is a critical remote code execution vulnerability with a CVSS score of 10.0, affecting React 19.0-19.2.0 and Next.js 15.x-16.x. The flaw stems from unsafe deserialization in React's Flight protocol, allowing unauthenticated attackers to execute arbitrary code through crafted HTTP requests. State-sponsored groups and cybercriminals are actively exploiting it to deploy cryptocurrency miners and backdoors. Organizations must upgrade to patched versions (React 19.0.1+, Next.js 15.0.5+) immediately, as the vulnerability impacts 39% of cloud environments and 6% of all websites. WAF rules and endpoint restrictions provide temporary mitigation.

  2. 2
    Article
    Avatar of phProduct Hunt·28w

    Strix: Open-source AI hackers for your apps

    Strix is an open-source AI penetration testing agent that automatically discovers, validates, and reports security vulnerabilities in applications. With 2,000 GitHub stars and 8,000 downloads in its first month, it's being adopted by Fortune 500 security teams, top bug bounty hunters, and auditing firms. The tool generates proof-of-concept exploits, produces compliance reports, and integrates into CI/CD pipelines to catch vulnerabilities before production deployment.

  3. 3
    Video
    Avatar of fireshipFireship·18w

    React.js shell shocked by 10.0 critical vulnerability…

    A critical 10.0 severity vulnerability (CVE-2025-55182) dubbed "React2shell" has been discovered in React's server components flight protocol. The exploit allows attackers to achieve remote code execution without authentication by sending malicious payloads that are deserialized on the server. The vulnerability affects millions of React applications using Next.js and similar frameworks, with over 2 million vulnerable servers estimated. Security researchers observed active exploitation attempts from Chinese hacking groups within hours of disclosure. Developers should immediately check their React server components package versions and update to patched versions.

  4. 4
    Article
    Avatar of thnThe Hacker News·39w

    Over 600 Laravel Apps Exposed to Remote Code Execution Due to Leaked APP_KEYs on GitHub

    Security researchers discovered over 260,000 leaked Laravel APP_KEYs on GitHub, with 600+ applications vulnerable to remote code execution attacks. The vulnerability stems from Laravel's decrypt() function automatically deserializing data, allowing attackers with exposed APP_KEYs to execute arbitrary code. The issue affects both older Laravel versions (CVE-2018-15133) and newer versions with specific session configurations (CVE-2024-55556). Researchers found 63% of exposures come from .env files containing additional sensitive data, and 28,000 APP_KEY/APP_URL pairs were exposed together, making attacks trivial. Proper mitigation requires immediate key rotation, system updates, and continuous secret monitoring rather than simply deleting exposed keys.

  5. 5
    Article
    Avatar of embracetheredEmbrace The Red·20w

    Antigravity Grounded! Security Vulnerabilities in Google's Latest IDE · Embrace The Red

    Security researcher discovers five critical vulnerabilities in Google's new Antigravity IDE, including remote code execution via indirect prompt injection, data exfiltration through multiple vectors, and hidden instruction execution using invisible Unicode characters. These issues were previously reported in Windsurf (which Antigravity is based on) but remain unpatched. The vulnerabilities exploit the IDE's auto-execute features, lack of human-in-the-loop controls for MCP tool invocations, and over-reliance on LLM output for security decisions. Practical mitigations include disabling auto-execute, carefully managing MCP server permissions, and considering alternative IDEs until fixes are deployed.

  6. 6
    Article
    Avatar of thnThe Hacker News·18w

    React2Shell Exploitation Escalates into Large-Scale Global Attacks, Forcing Emergency Mitigation

    CISA has accelerated the patching deadline for React2Shell (CVE-2025-55182), a critical vulnerability with a CVSS score of 10.0 affecting React Server Components and frameworks like Next.js. The flaw allows unauthenticated remote code execution through unsafe deserialization. Since disclosure on December 3, 2025, threat actors have conducted widespread exploitation with over 35,000 attempts recorded in a single day, targeting government sites, critical infrastructure, and technology companies. Over 137,000 vulnerable IP addresses remain exposed globally, with attackers deploying cryptocurrency miners, botnet malware, and conducting reconnaissance for supply chain attacks.

  7. 7
    Video
    Avatar of lowlevellearningLow Level Learning·35w

    So that’s why it’s free..

    Russian hackers are exploiting multiple WinRAR vulnerabilities, including CVE-2025-8088, to attack businesses. The latest exploit uses alternative data streams and directory traversal techniques to place malicious DLL files in system directories, allowing attackers to execute code when legitimate applications load. These logic-based vulnerabilities are easier to exploit than memory corruption bugs because they don't require complex memory manipulation, just crafted file structures with specific properties.

  8. 8
    Article
    Avatar of collectionsCollections·27w

    Critical Redis Vulnerability CVE‑2025‑49844: Immediate Action Required

    Wiz Research discovered RediShell (CVE-2025-49844), a critical remote code execution vulnerability in Redis with a maximum CVSS score of 10.0. The flaw stems from a 13-year-old use-after-free bug in Redis's Lua interpreter that allows authenticated attackers to bypass the sandbox and execute arbitrary code. With Redis deployed in 75% of cloud environments and 330,000 instances exposed online (60,000 without authentication), the impact is severe. Patches are available for Redis versions 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2, along with Valkey. Organizations should immediately upgrade, enable authentication, restrict network access, disable unnecessary Lua commands, and implement ACLs to limit script execution.

  9. 9
    Video
    Avatar of lowlevellearningLow Level Learning·22w

    I Never Thought I’d See This

    A remote code execution vulnerability was discovered in tokio-tar, an unmaintained Rust library for async tar file processing. The flaw stems from a logic bug in how the library parses tar headers, allowing attackers to smuggle malicious files inside archives that bypass security scanners. The vulnerability affects tools like UV (Python package manager) and container images, enabling file overwrites during extraction. This case highlights that while Rust prevents memory safety issues, logic bugs remain possible, and abandoned dependencies pose significant security risks.

  10. 10
    Article
    Avatar of securityboulevardSecurity Boulevard·19w

    Undetected Firefox WebAssembly Flaw Put 180 Million Users at Risk

    A stack buffer overflow vulnerability in Firefox's WebAssembly implementation went undetected for six months, affecting over 180 million users across versions 143-145. The flaw, caused by a pointer arithmetic error in garbage collection logic, passed code review and regression testing before being discovered by Aisle's AI-driven analyzer. Mozilla patched the high-severity issue (CVE-2025-13016, CVSS 7.5) within two weeks of disclosure. The vulnerability could have allowed arbitrary code execution when WebAssembly arrays triggered specific memory pressure conditions during garbage collection.

See all Vulnerability archives