Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

The modern JavaScript ecosystem was shaken this week as Meta, Vercel, Google Cloud, AWS, and leading security researchers revealed two critical issues: CVE-2025-55182 and the downstream Next.js variant CVE-2025-66478. Both are rated CVSS 10 and allow remote code execution (RCE) by exploiting weaknesses in the React Server Components (RSC) “Flight” protocol. The vulnerabilities affect React 19 and all major frameworks embedding the RSC implementation, most notably Next.js 15.x and 16.x.

Part of the process of achieving ISO 27001 certification is creating the fundamental documents necessary to outline and prove your security. One of those fundamental documents is the SoA, or Statement of Applicability. The statement of applicability is a rundown of all of the ISO 27001 security controls, and a discussion of whether or not that control applies to your business.

JFrog continues to track and provide updates on React2Shell at research.jfrog.com.

While the world worries about "jailbreaking" LLMs or preventing them from hallucinating, a critical new vulnerability has just reminded us of a fundamental truth: AI is just software, and software has bugs. A newly discovered critical flaw (CVE-2025-62164) in vLLM, one of the most popular libraries for serving large language models, allows attackers to achieve Remote Code Execution (RCE) or crash servers simply by sending a malicious API request. This isn't a failure of the AI model.

‍ AI is transforming businesses at breakneck speed—but security isn’t keeping up. ‍ According to Vanta’s State of Trust Report 2025, which surveyed over 2,500 business and IT leaders around the world, 3 in 5 say AI-related security threats are outpacing their expertise. With a majority of organizations experiencing threats weekly, AI is not just driving the volume, but the precision of these attacks.

Every IT stack may look tidy on a diagram. If so, then it’s tempting to assume everything works fine. And yet, systems rarely fail as a whole. Usually, it’s a part or functionality. For instance, anyone who ever untangled a broken workflow in GitHub, GitLab, Bitbucket or Azure DevOps, or a corrupted field in Jira, knows it too well. And that’s the quiet tension (“to fix one little thing”) inside every modern backup strategy.