A critical vulnerability, CVE-2025-66478, has been identified in Next.js applications using React Server Components (RSC) with the App Router. This vulnerability receives a CVSS score of 10.0 and a Bitsight Dynamic Vulnerability Exploit (DVE) score of 7.85. This vulnerability may allow remote code execution (RCE) when affected servers process attacker-controlled RSC requests. CVE-2025-66478 is tied to an upstream React issue (CVE-2025-55182–DVE score 9.15) affecting the RSC protocol implementation.

We recently published a series of polls across our social channels to get a pulse on some of today’s application security concerns with AI. These recent conversations with our community reveal a clear and urgent shift in the application security landscape. Results show that while established challenges like software supply chain security remain top of mind, the rapid pace of AI has created a new center of gravity for anxiety.

In today’s high-turnover work environment, we’re watching something unusual happen: record numbers of security cleared, experienced professionals are re-entering the job market. They’re leaving shuttered programs, reorganised agencies, downsized contractors, and sometimes entire departments caught in a budget reshuffle. Conventional wisdom says these people are an asset anywhere they land.

On December 4, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and the Canadian Centre for Cyber Security jointly released Malware Analysis Report AR25-338A analyzing BrickStorm malware, a sophisticated backdoor attributed to the People’s Republic of China (PRC) state-sponsored cyber actors.

A few weeks ago, a cyberattack shut down operations at the Japanese brewery Asahi, disrupting its supply chain and affecting product availability across the country. Incidents like these often take advantage of the complexity of distributed infrastructures, where insufficient segmentation between OT (Operational Technology) and IT (Information Technology) environments lets threats spread laterally uncontrolled.

Designated CVE-2025-55182 and widely dubbed "React2Shell," this vulnerability represents a worst-case scenario for modern web applications: Unauthenticated Remote Code Execution (RCE) on default configurations.

On December 3rd, CVE-2025-55182 was published by CISA. This CVSS 10.0 vulnerability allows unauthenticated remote code execution, where a threat actor can exploit a flaw in React’s process to decode payloads sent to React Server Function endpoints. It is important to note that while not every team is using React Server Function endpoints in their app, they still may be vulnerable if their app supports React Server Components.

Technology is part of everyday life, offering connection and convenience. For many women and girls experiencing gender based violence in the UK, that same technology is increasingly used as a tool of control, surveillance and harm. Understanding how this abuse works is essential for safeguarding and accountability.

Customer support teams face an impossible paradox: they need to help customers quickly, but customers routinely share sensitive information that creates compliance risks and security exposure. Credit card numbers pasted into chat. Driver's licenses attached to verification tickets. Medical records uploaded to troubleshoot healthcare apps. Social security numbers submitted through web forms. Traditional DLP wasn't built for this reality.

On December 3 2025, the React team released patched versions of the affected React Server Components packages. Framework vendors, including Next.js, provided updated builds on the same day. Any environment using React Server Components or frameworks that embed the RSC pipeline should.