eact is one of the most popular JavaScript libraries, which powers much of today’s internet. Researchers recently discovered a maximum-severity vulnerability. This bug could allow even the low-skilled threat actors to execute malicious code (RCE) on vulnerable instances.
Earlier this week, the React team published a new security advisory detailing a pre-authentication bug in multiple versions of multiple packs, affecting React Server Components. The versions that are affected include 19.0, 19.1.0, 19.1.1, and 19.2.0, of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. The bug is now tracked as CVE-2025-55182, and was given a severity score of 10/10 (critical).
Read more…
Source: TechRadar News
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- HiatusRAT Actors Targeting Web Cameras and DVRs
December 16, 2024
The Federal Bureau of Investigation (FBI) is releasing this Private Industry Notification (PIN) to highlight HiatusRAT1 scanning campaigns against Chinese-branded web cameras and DVRs. Private sector partners are encouraged to implement the recommendations listed in the “Mitigation” column of the table below to reduce the likelihood and impact of these attack campaigns. Threat HiatusRAT is a ...
- 2024 Threat Landscape Statistics: Ransomware Activity, Vulnerability Exploits, and Attack Trends
December 16, 2024
In this blog, the global experts across our Rapid7 Labs and Managed Services teams share real-time vulnerability insights and threat intelligence so that our customers can anticipate and prevent breaches, pinpoint critical threats, and confidently take command of their attack surface. The Rapid7 Labs team has rounded up statistics and trends that caught their eye throughout ...
- Careto is back: what’s new after 10 years of silence?
December 12, 2024
During the first week of October, Kaspersky took part in the 34th Virus Bulletin International Conference, one of the longest-running cybersecurity events. There, Kaspersky researchers delivered multiple presentations, and one of our talks focused on newly observed activities by the Careto threat actor, which is also known as “The Mask”. The Mask APT is a legendary ...
- Modular Java Backdoor Dropped in Cleo Exploitation Campaign
December 11, 2024
While investigating incidents related to Cleo software exploitation, Rapid7 Labs and MDR observed a novel, multi-stage attack that deploys an encoded Java Archive (JAR) payload. Our investigation revealed that the JAR file was part of a modular, Java-based Remote Access Trojan (RAT) system. This RAT facilitated system reconnaissance, file exfiltration, command execution, and encrypted communication with ...
- Exploitation of critical path traversal vulnerability (CVE-2024-41713) and 0-day path traversal vulnerability (CVE-2024-55550) in Mitel MiCollab
December 11, 2024
After proof-of-concept technical details were published on 5 December 2024 for CVE-2024-41713 and CVE-2024-55550, exploitation activity chaining these two Mitel MiCollab vulnerabilities has been reported. MiCollab is a cloud-based platform that integrates chat, voice, video, and SMS messaging for teams. Vulnerability details CVE-2024-41713 is a vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab ...
- Cleo Releases Security Advisory for Harmony, VLTrader, and LexiCom
December 11, 2024
Cleo has released a security advisory addressing two vulnerabilities in Cleo Harmony, Cleo VLTrader, and Cleo LexiCom, which are commonly used to manage file transfers. Cleo LexiCom is a desktop-based client solution for communication with major trading networks Cleo VLTrader is a server-level solution designed to meet the needs of mid-enterprise organisations Cleo Harmony is tailored ...