Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

JFrog continues to track and provide updates on React2Shell at research.jfrog.com.

While the world worries about "jailbreaking" LLMs or preventing them from hallucinating, a critical new vulnerability has just reminded us of a fundamental truth: AI is just software, and software has bugs. A newly discovered critical flaw (CVE-2025-62164) in vLLM, one of the most popular libraries for serving large language models, allows attackers to achieve Remote Code Execution (RCE) or crash servers simply by sending a malicious API request. This isn't a failure of the AI model.

‍ AI is transforming businesses at breakneck speed—but security isn’t keeping up. ‍ According to Vanta’s State of Trust Report 2025, which surveyed over 2,500 business and IT leaders around the world, 3 in 5 say AI-related security threats are outpacing their expertise. With a majority of organizations experiencing threats weekly, AI is not just driving the volume, but the precision of these attacks.

Every IT stack may look tidy on a diagram. If so, then it’s tempting to assume everything works fine. And yet, systems rarely fail as a whole. Usually, it’s a part or functionality. For instance, anyone who ever untangled a broken workflow in GitHub, GitLab, Bitbucket or Azure DevOps, or a corrupted field in Jira, knows it too well. And that’s the quiet tension (“to fix one little thing”) inside every modern backup strategy.